search

awslabs / automated-security-helper

https://awslabs.github.io/automated-security-helper/
Apache License 2.0
372 stars 44 forks source link

.git/config [secrets] removed in ash #48

Closed bestickley closed 5 months ago

bestickley commented 5 months ago

When I run ash on my project I'm getting Dockerfile Dockerfile-git returned 1 but when I run git secrets --scan --recursive there is no error. My .git/config has this:

[secrets]
    allowed = ^\\./infra/cdk.context.json:.*

but see this from my aggregated_results.txt:

OK
git config --local --get-regexp "^secrets\..*$" output:
secrets.providers git secrets --aws-provider
secrets.patterns (A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}
secrets.patterns ("|')?(AWS|aws|Aws)?_?(SECRET|secret|Secret)?_?(ACCESS|access|Access)?_?(KEY|key|Key)("|')?\s*(:|=>|=)\s*("|')?[A-Za-z0-9/\+=]{40}("|')?
secrets.patterns ("|')?(AWS|aws|Aws)?_?(ACCOUNT|account|Account)_?(ID|id|Id)?("|')?\s*(:|=>|=)\s*("|')?[0-9]{4}\-?[0-9]{4}\-?[0-9]{4}("|')?
secrets.allowed AKIAIOSFODNN7EXAMPLE
secrets.allowed wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
>>>>>> begin git secrets --scan result >>>>>>
infra/cdk.context.json:2:  "availability-zones:account=211125606836:region=us-east-1": [
infra/cdk.context.json:10:  "ssm:account=211125606836:parameterName=/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64:region=us-east-1": "ami-0277155c3f0ab2930",
infra/cdk.context.json:11:  "availability-zones:account=905418358903:region=us-east-1": [
infra/cdk.context.json:19:  "ssm:account=905418358903:parameterName=/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64:region=us-east-1": "ami-0440d3b780d96b29d"

[ERROR] Matched one or more prohibited patterns

Possible mitigations:
- Mark false positives as allowed using: git config --add secrets.allowed ...
- Mark false positives as allowed by adding regular expressions to .gitallowed at repository's root directory
- List your configured patterns: git config --get-all secrets.patterns
- List your configured allowed patterns: git config --get-all secrets.allowed
- List your configured allowed patterns in .gitallowed at repository's root directory
- Use --no-verify if this is a one-time false positive
<<<<<< end git secrets --scan result <<<<<<
#############################################
End of  /out/work/git_report_result.txt
#############################################

which shows ash isn't respecting my local custom git secrets configuration :(

bestickley commented 5 months ago

My work around is to just use .gitallowed. Notice though, you'll need to commit the .gitallowed for it to be picked up by ash.

bestickley commented 5 months ago

.git/config isn't transferred to ash container b/c git clone doesn't include .git/config. I'm still not able to allow secrets to mark git secrets as false positive, but this issue isn't valid based on .git/config not being transferred so closing.