-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor kubernetes-secret
rule
#1462
Conversation
ba6922d
to
c1f7039
Compare
be527f8
to
cc316b0
Compare
@marcm-ml @brampat @fabio-sv This seems fairly complete to me. If you have a moment, give the new rule a try and let me know if it fixes the false-positives you're seeing. Update: it seems to pass the Kubernetes repo with a solid true/false positive ratio. Scan output (click to expand)
|
cc316b0
to
2297d5e
Compare
2297d5e
to
b9f875c
Compare
@rgmz Thank you for the quick response. I've tested it as so:
So, unless my testing method is off, this seems like it solves the false positives for me. |
My false-positives are fully resolved by this. Thanks for the quick fix 👍 Outside the scope of this PR: Would like to hear your thoughts about this. |
If I understand correctly @marcm-ml : See if rules can detect replacement-tags / template usage and in those cases, don't mark those as scanned secrets, since it'll contain a key that references a secret stored somewhere else (eg. in a vault). |
I created #1513 to track some follow-up ideas. I don't have personal experience with either of these; if you can provide examples of 'true' positives, that would be useful for future reference. |
I've upgraded to gitleaks 8.9.2 and scanned the repo again. Unfortunately it now triggers the new rule again. File: apiVersion: v1 Violates (pruned the committer info): Finding: kind: Secret |
I think this is still pending release. |
Are you sure? I've checked the commit log for that release: And I see the refactoring stuff is in there. |
It's a bit confusing. Those are the changes that have happened since that release. Regardless, the example you shared had |
Description:
This is a follow-up to #1454.
Changes:
secretGroup
isn't set #1459 to collapsekubernetes-secret-with-data-before
andkubernetes-secret-with-data-after
into a single ruleTODO
stringData
in the future.Checklist: