1 yıl önce · 3c0e068b69
--- a/cmd/generate/config/rules/kubernetes.go
+++ b/cmd/generate/config/rules/kubernetes.go
@@ -12,7 +12,7 @@ import (
 
															 func KubernetesSecret() *config.Rule {
														
 
															 	// Only match basic variations of `kind: secret`, we don't want things like `kind: ExternalSecret`.
														
 
															 	//language=regexp
														
 
															-	kindPat := `\bkind:[ \t]*["']?secret["']?`
														
 
															+	kindPat := `\bkind:[ \t]*["']?\bsecret\b["']?`
														
 
															 	// Only matches values (`key: value`) under `data:` that are:
														
 
															 	// - valid base64 characters
														
 
															 	// - longer than 10 characters (no "YmFyCg==")
														
@@ -39,6 +39,9 @@ func KubernetesSecret() *config.Rule {
 
															 					// variable: ""
														
 
															 					// variable: ''
														
 
															 					regexp.MustCompile(`[\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:\{\{[ \t\w"|$:=,.-]+}}|""|'')`),
														
 
															+					// TODO: Requires multiple allowlists to target match.
														
 
															+					// Avoid overreach between directives.
														
 
															+					//regexp.MustCompile(`(kind:(.|\s)+\n---\n(.|\s)+\bdata:|data:(.|\s)+\n---\n(.|\s)+\bkind:)`),
														
 
															 				},
														
 
															 			},
														
 
															 		},
														
@@ -239,6 +242,43 @@ metadata:
 
															   name: kubernetes-dashboard-key-holder
														
 
															   namespace: kubernetes-dashboard
														
 
															 type: Opaque
														
 
															+`,
														
 
															+		// TODO: Requires multiple allowlists.
														
 
															+		//		"overly-permissive3.yaml": ` kind: Secret
														
 
															+		//  target:
														
 
															+		//    name: mysecret
														
 
															+		//    creationPolicy: Owner
														
 
															+		//
														
 
															+		//---
														
 
															+		//
														
 
															+		//kind: ConfigMap
														
 
															+		//  data:
														
 
															+		//        conversionStrategy: Default
														
 
															+		//        decodingStrategy: None
														
 
															+		//        key: secret/mysecret
														
 
															+		//        property: foo
														
 
															+		//      secretKey: foo`,
														
 
															+		// https://github.com/gitleaks/gitleaks/issues/1644
														
 
															+		"wrong-kind.yaml": `apiVersion: external-secrets.io/v1beta1
														
 
															+kind: ExternalSecret
														
 
															+metadata:
														
 
															+  name: example
														
 
															+  namespace: example-ns
														
 
															+spec:
														
 
															+  refreshInterval: 15s
														
 
															+  secretStoreRef:
														
 
															+    name: example
														
 
															+    kind: SecretStore
														
 
															+  target:
														
 
															+    name: mysecret
														
 
															+    creationPolicy: Owner
														
 
															+  data:
														
 
															+    - remoteRef:
														
 
															+        conversionStrategy: Default
														
 
															+        decodingStrategy: None
														
 
															+        key: secret/mysecret
														
 
															+        property: foo
														
 
															+      secretKey: foo
														
 
															 `,
														
 
															 		"sopssecret.yaml": `apiVersion: isindir.github.com/v1alpha3
														
 
															 kind: SopsSecret
														
--- a/config/gitleaks.toml
+++ b/config/gitleaks.toml
@@ -2327,7 +2327,7 @@ keywords = ["kraken"]
 
															 [[rules]]
														
 
															 id = "kubernetes-secret-yaml"
														
 
															 description = "Possible Kubernetes Secret detected, posing a risk of leaking credentials/tokens from your deployments"
														
 
															-regex = '''(?i)(?:\bkind:[ \t]*["']?secret["']?(?:.|\s){0,200}?\bdata:(?:.|\s){0,100}?\s+([\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:["']?[a-z0-9+/]{10,}={0,3}["']?|\{\{[ \t\w"|$:=,.-]+}}|""|''))|\bdata:(?:.|\s){0,100}?\s+([\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:["']?[a-z0-9+/]{10,}={0,3}["']?|\{\{[ \t\w"|$:=,.-]+}}|""|''))(?:.|\s){0,200}?\bkind:[ \t]*["']?secret["']?)'''
														
 
															+regex = '''(?i)(?:\bkind:[ \t]*["']?\bsecret\b["']?(?:.|\s){0,200}?\bdata:(?:.|\s){0,100}?\s+([\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:["']?[a-z0-9+/]{10,}={0,3}["']?|\{\{[ \t\w"|$:=,.-]+}}|""|''))|\bdata:(?:.|\s){0,100}?\s+([\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:["']?[a-z0-9+/]{10,}={0,3}["']?|\{\{[ \t\w"|$:=,.-]+}}|""|''))(?:.|\s){0,200}?\bkind:[ \t]*["']?\bsecret\b["']?)'''
														
 
															 path = '''(?i)\.ya?ml$'''
														
 
															 keywords = ["secret"]
														
 
															 # NOTE: Gitleaks >= v8.21.0 should use [[rules.allowlists] instead.