github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ecs/no_plaintext_secrets.go (about)

     1  package ecs
     2  
     3  import (
     4  	"fmt"
     5  	"strings"
     6  
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  
     9  	"github.com/khulnasoft-lab/defsec/pkg/state"
    10  
    11  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    12  
    13  	"github.com/khulnasoft-lab/defsec/internal/rules"
    14  
    15  	"github.com/khulnasoft-lab/defsec/pkg/providers"
    16  
    17  	"github.com/owenrumney/squealer/pkg/squealer"
    18  )
    19  
    20  var CheckNoPlaintextSecrets = rules.Register(
    21  	scan.Rule{
    22  		AVDID:       "AVD-AWS-0036",
    23  		Provider:    providers.AWSProvider,
    24  		Service:     "ecs",
    25  		ShortCode:   "no-plaintext-secrets",
    26  		Summary:     "Task definition defines sensitive environment variable(s).",
    27  		Impact:      "Sensitive data could be exposed in the AWS Management Console",
    28  		Resolution:  "Use secrets for the task definition",
    29  		Explanation: `You should not make secrets available to a user in plaintext in any scenario. Secrets can instead be pulled from a secure secret storage system by the service requiring them.`,
    30  		Links: []string{
    31  			"https://docs.aws.amazon.com/systems-manager/latest/userguide/integration-ps-secretsmanager.html",
    32  			"https://www.vaultproject.io/",
    33  		},
    34  		Terraform: &scan.EngineMetadata{
    35  			GoodExamples:        terraformNoPlaintextSecretsGoodExamples,
    36  			BadExamples:         terraformNoPlaintextSecretsBadExamples,
    37  			Links:               terraformNoPlaintextSecretsLinks,
    38  			RemediationMarkdown: terraformNoPlaintextSecretsRemediationMarkdown,
    39  		},
    40  		CloudFormation: &scan.EngineMetadata{
    41  			GoodExamples:        cloudFormationNoPlaintextSecretsGoodExamples,
    42  			BadExamples:         cloudFormationNoPlaintextSecretsBadExamples,
    43  			Links:               cloudFormationNoPlaintextSecretsLinks,
    44  			RemediationMarkdown: cloudFormationNoPlaintextSecretsRemediationMarkdown,
    45  		},
    46  		Severity: severity.Critical,
    47  	},
    48  	func(s *state.State) (results scan.Results) {
    49  
    50  		scanner := squealer.NewStringScanner()
    51  
    52  		for _, definition := range s.AWS.ECS.TaskDefinitions {
    53  			for _, container := range definition.ContainerDefinitions {
    54  				for _, env := range container.Environment {
    55  					if result := scanner.Scan(env.Value); result.TransgressionFound || isSensitiveAttribute(env.Name) {
    56  						results.Add(
    57  							fmt.Sprintf("Container definition contains a potentially sensitive environment variable '%s': %s", env.Name, result.Description),
    58  							container,
    59  						)
    60  					} else {
    61  						results.AddPassed(&definition)
    62  					}
    63  				}
    64  			}
    65  		}
    66  		return
    67  	},
    68  )
    69  
    70  var sensitiveAttributeTokens = []string{
    71  	"password",
    72  	"secret",
    73  	"private_key",
    74  	"aws_access_key_id",
    75  	"aws_secret_access_key",
    76  	"token",
    77  	"api_key",
    78  }
    79  
    80  var whitelistTokens = []string{
    81  	"token_type",
    82  	"version",
    83  }
    84  
    85  func isSensitiveAttribute(name string) bool {
    86  	name = strings.ToLower(name)
    87  
    88  	for _, criterionToken := range sensitiveAttributeTokens {
    89  		if name == criterionToken {
    90  			return true
    91  		}
    92  		if strings.Contains(name, criterionToken) {
    93  			for _, exclusionToken := range whitelistTokens {
    94  				if strings.HasSuffix(name, exclusionToken) {
    95  					return false
    96  				}
    97  			}
    98  			return true
    99  		}
   100  	}
   101  
   102  	return false
   103  }