github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/github/actions/no_plain_text_action_secrets.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/github/actions/no_plain_text_action_secrets.go (about)

     1  package actions
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckNoPlainTextActionEnvironmentSecrets = rules.Register(
    12  	scan.Rule{
    13  		AVDID:      "AVD-GIT-0002",
    14  		Provider:   providers.GitHubProvider,
    15  		Service:    "actions",
    16  		ShortCode:  "no-plain-text-action-secrets",
    17  		Summary:    "Ensure plaintext value is not used for GitHub Action Environment Secret.",
    18  		Impact:     "Unencrypted sensitive plaintext value can be easily accessible in code.",
    19  		Resolution: "Do not store plaintext values in your code but rather populate the encrypted_value using fields from a resource, data source or variable.", Explanation: `For the purposes of security, the contents of the plaintext_value field have been marked as sensitive to Terraform, but this does not hide it from state files. State should be treated as sensitive always.`,
    20  
    21  		Links: []string{
    22  			"https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret",
    23  			"https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions",
    24  		},
    25  		Terraform: &scan.EngineMetadata{
    26  			GoodExamples:        terraformNoPlainTextActionSecretsGoodExamples,
    27  			BadExamples:         terraformNoPlainTextActionSecretsBadExamples,
    28  			Links:               terraformNoPlainTextActionSecretsLinks,
    29  			RemediationMarkdown: terraformNoPlainTextActionSecretsRemediationMarkdown,
    30  		},
    31  		Severity: severity.High,
    32  	},
    33  	func(s *state.State) (results scan.Results) {
    34  		for _, environmentSecret := range s.GitHub.EnvironmentSecrets {
    35  			if environmentSecret.Metadata.IsUnmanaged() {
    36  				continue
    37  			}
    38  			if environmentSecret.PlainTextValue.IsNotEmpty() {
    39  				results.Add("Secret has plain text value",
    40  					environmentSecret.PlainTextValue)
    41  			} else {
    42  				results.AddPassed(&environmentSecret)
    43  			}
    44  		}
    45  		return results
    46  	},
    47  )