search

Checkmarx / kics

Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
https://kics.io
Apache License 2.0
2.04k stars 299 forks source link

bug(aws): false positive on Hardcoded AWS Access Key In Lambda, (2564172f-c92b-4261-9acd-464aed511696) #7023

Open pepdekpd opened 5 months ago

pepdekpd commented 5 months ago

Running Kics github action 2.0 on lambda with following environment variables:

apiCredentials = <name of secure ssm parameter>
entity = <name>
logLevel = <loglevel>
progressMarker = <name of ssm parameter>
region = <region>
targetBucket = <bucketname>

Results in:

Hardcoded AWS Access Key In Lambda, Severity: HIGH, Results: 4
Description: Lambda access/secret keys should not be hardcoded
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/2564172f-c92b-4261-9acd-464aed511696

    [1]: aws/cdk.out/di-dp-source-***********-dev.template.json:319

        318:     "Environment": {
        319:      "Variables": {
        320:       "progressMarker": {

Expected Behavior

I do no think this is an issue, the variables (apiCredentials, progressMarker) point to names of systems manager parameter store parameters. The lambda retrieves the credentials values using the names of the parameters, it is not "Hardcoded AWS Access Key In Lambda", so the vulnerability should not be raised in this case.

gabriel-cx commented 4 months ago

Hi @pepdekpd ,

Thank you for your inputs! Our internal AppSec team will check it soon. We will keep you updated.

(APPSEC-2557)

gabriel-cx commented 4 months ago

Hi @pepdekpd ,

It's possible for you to provide more information regarding your problem? Our internal AppSec team was not able to reproduce the problem.

If you can provide us with a mock code sample with no sensitive information and also triggers the same problem as the original code sample, will help us a lot to fully understand the problem and provide you with the best information.

gabriel-cx commented 4 months ago

@pepdekpd thank you so much! Yes, the template you sent is enough for us to analyze!

Notice that i deleted your comment, so we make sure none of your code is shared online, for security purposes! I already have a copy on my local env, so we can work on it on our side. Hope this is okey for you! I will keep you updated.