Skip to content

Commit 0633858

Browse files
pazbechorpazbechor
pazbechor
and
pazbechor
authored
fix(secrets): Remove both random and base64 entropy secrets finding (#6969)
* fix a bug where multiple regex are being supplied seperated by | sign (in multiline policy) captured, so matching group will be the match & empty matching as only one pattern caught the secret * adding the fix. Should be merged only after merging this PR #6967 * . * . --------- Co-authored-by: pazbechor <pbechor@paloaltonetworks.com>
1 parent 22f0534 commit 0633858

File tree

1 file changed

+17
-1
lines changed

1 file changed

+17
-1
lines changed

checkov/secrets/runner.py

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,9 @@
7373
'Hex High Entropy String': 'CKV_SECRET_19'
7474
}
7575

76-
ENTROPY_CHECK_IDS = {'CKV_SECRET_6', 'CKV_SECRET_19', 'CKV_SECRET_80'}
76+
BASE64_HIGH_ENTROPY_CHECK_ID = 'CKV_SECRET_6'
77+
RANDOM_HIGH_ENTROPY_CHECK_ID = 'CKV_SECRET_80'
78+
ENTROPY_CHECK_IDS = {BASE64_HIGH_ENTROPY_CHECK_ID, 'CKV_SECRET_19', RANDOM_HIGH_ENTROPY_CHECK_ID}
7779
GENERIC_PRIVATE_KEY_CHECK_IDS = {'CKV_SECRET_4', 'CKV_SECRET_10', 'CKV_SECRET_13', 'CKV_SECRET_192'}
7880

7981
CHECK_ID_TO_SECRET_TYPE = {v: k for k, v in SECRET_TYPE_TO_ID.items()}
@@ -279,6 +281,20 @@ def run(
279281
secret_key_by_line = f'{key}_{secret.line_number}'
280282
secret_key_by_line_to_secrets[secret_key_by_line].append(secret)
281283

284+
# If same line contains both Random High Entropy & Base64 High Entropy, only the Random one remains.
285+
# https://jira-dc.paloaltonetworks.com/browse/BCE-42547
286+
for key, secrets_by_line in secret_key_by_line_to_secrets.items():
287+
if not any([s.check_id == RANDOM_HIGH_ENTROPY_CHECK_ID for s in secrets_by_line]):
288+
continue
289+
new_secrets = list()
290+
key_with_no_line = key[:-2]
291+
for s in secrets_by_line:
292+
if SECRET_TYPE_TO_ID.get(s.type) == BASE64_HIGH_ENTROPY_CHECK_ID:
293+
continue
294+
new_secrets.append(s)
295+
secret_key_by_line_to_secrets[key] = new_secrets
296+
secrets[key_with_no_line] = set(new_secrets)
297+
282298
for key, secret in secrets:
283299
check_id = secret.check_id if secret.check_id else SECRET_TYPE_TO_ID.get(secret.type)
284300
if not check_id:

0 commit comments

Comments
 (0)