feat(scan): do not trigger false alerts on ExternalSecrets file
#6812
Labels
community
Community contribution
feature request
Community: new feature request
kubernetes
Kubernetes query
query
New query feature
Comments
gusfcarvalho
added
community
gusfcarvalho
changed the title
ExternalSecrets fileExternalSecrets file
|
My original thoughts was on adding a regexp that would avoid files that starts with |
|
Hello @gusfcarvalho, Can you kindly provide a sample where that secret is falsely detected so we can use it for debugging and testing purposes? Best Regards, |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
external-secrets is a project used to synchronize sensitive information from secrets providers and kubernetes clusters without needing the end user to have any credentials whatsoever. It is also compatible with IaC by leveraging any GitOps mechanism to deploy the manifests onto the target cluster.
currently, any ExternalSecret manifest generates a false alert, as a reference to kubernetes Secret key (named
secretKey) is identified as a sensitive information (while it is really a metadata address for the Key, not for the Value).Describe the solution you'd like
ExternalSecrets manifests should be avoided by adding a specific avoid rule in https://github.com/Checkmarx/kics/blob/master/assets/queries/common/passwords_and_secrets/regex_rules.json#L30C1-L47
Describe alternatives you've considered
Deal with the pain of false alerts for a tool that actually helps reducing sensitive information in git repos in the first place :)
Additional context
This discussion here triggered me to open up this issue.
The text was updated successfully, but these errors were encountered: