Passwords And Secrets - Generic Secret - Query to find passwords and secrets in infrastructure code. #7311

patsevanton · 2025-01-15T06:13:45Z

patsevanton
Jan 15, 2025

Hello! I have False positive for kubernetes secret in ESO
kics from master git

---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: qdrant-token
  namespace: qdrant
spec:
    secretStoreRef:
      name: vault-backend
      kind: ClusterSecretStore
    refreshInterval: "10m"
    target:
      name: qdrant-token
    data:
      - secretKey: QDRANT_API_KEY
        remoteRef:
          key: infra/ycloud/dev/infra/qdrant
          property: qdrant-token

kics output:

kics scan -p '.' --log-level=DEBUG   --report-formats json -o ./results
                                                                                                                                                                                                                                                                
                                                                                                                                                                                                                                                                                                                       
Scanning with Keeping Infrastructure as Code Secure development

Passwords And Secrets - Generic Secret, Severity: HIGH, Results: 1
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
CWE: 798
Learn more about this vulnerability: https://docs.kics.io/latest/queries/common-queries/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71

	[1]: eso.yaml:15

		014:     data:
		015:       - secretKey: <SECRET-MASKED-ON-PURPOSE>
		016:         remoteRef:

Results Summary:
CRITICAL: 0
HIGH: 1
MEDIUM: 0
LOW: 0
INFO: 0
TOTAL: 1

Answered by ArturRibeiro-CX

Feb 8, 2025

Hey @patsevanton,

Thanks for bringing this up!

For bug reports, we usually recommend opening an issue following the defined structure here: Bug Report Template.

To provide more context, in this case, we might need to add a new regex rule to the "Passwords and Secrets" query. You can find the regex rules in the regex_rules.json file here: regex_rules.json. This would help address your specific case and solve the false positive finding.

I hope this helps clarify things!
Thanks for sharing!

View full answer

ArturRibeiro-CX · 2025-02-08T18:47:41Z

ArturRibeiro-CX
Feb 8, 2025
Collaborator

Hey @patsevanton,

Thanks for bringing this up!

For bug reports, we usually recommend opening an issue following the defined structure here: Bug Report Template.

To provide more context, in this case, we might need to add a new regex rule to the "Passwords and Secrets" query. You can find the regex rules in the regex_rules.json file here: regex_rules.json. This would help address your specific case and solve the false positive finding.

I hope this helps clarify things!
Thanks for sharing!

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Passwords And Secrets - Generic Secret - Query to find passwords and secrets in infrastructure code. #7311

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Passwords And Secrets - Generic Secret - Query to find passwords and secrets in infrastructure code. #7311

patsevanton Jan 15, 2025

Replies: 1 comment

ArturRibeiro-CX Feb 8, 2025 Collaborator

patsevanton
Jan 15, 2025

ArturRibeiro-CX
Feb 8, 2025
Collaborator