bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
7.16k stars 1.12k forks source link

[CKV_SECRET_6] Base64 High Entropy String #5405

Open GunasheelaSatharasi opened 1 year ago

GunasheelaSatharasi commented 1 year ago

Describe the issue An incorrect result is being generated for the "Base64 High Entropy String" scan. Checkov is expecting different names for the resource names, such as Keyvault resource group name and Keyvault name. It seems to be checking for non-sensitive values, which is not the required.

error message:

Resource: 4e70246419ef4003644606103ef18316880dd56e File: /../../../../a/checkov_modules_southeastasia.json: 772-773 Guideline: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html 772 | "resource_group_name": "rg-****",

Examples Please share an example code sample (in the IaC of your choice) + the expected outcomes.

Version (please complete the following information):

Additional context Add any other context about the problem here.

PascalTurbo commented 1 year ago

I have an eqaul issue here

Check: CKV_SECRET_6: "Base64 High Entropy String"
    FAILED for resource: f53c4e1ecf5e03a16e84df0eed4606369891ba3b
    File: /values.yaml:28-29
    Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html

        28 |   zephyrTokenSecretName: "zeph***************"

The value is zephyrTokenSecretName: "zephyr-token-secret" and it's only a reference to the Secret and not a Password.

fractos commented 12 months ago

Equivalent error here:

Check: CKV_SECRET_6: "Base64 High Entropy String"
    FAILED for resource: 031142ef3114c1b5ec79[...]
Error:  File: /terragrunt.hcl:35-36
    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/secrets-policies/secrets-policy-index/git-secrets-6

        35 |   rds_secrets_kms_key_alias  = "alias***************"
rds_secrets_kms_key_alias = "alias/rds-secrets-qa"
AliSoftware commented 7 months ago

Having a similar false positive when running checkov on our tfplan.json JSON terraform plan:

61 |       "SecretsBucket": "a8c-**********"
aukevanleeuwen commented 5 months ago

Same, even the word Authorization (as the value of the API key name) is too much.

2055 |       "ApiKeyName": "Aut**********",

Worse though: I don't know how to turn this of, where I can normally ignore this with metadata on the CloudFormation resource: for this check that doesn't work: The following will still produce the same error:

  "OriginSlackNotificationSlackConnection27891751": {
   "Type": "AWS::Events::Connection",
   "Properties": {
    "AuthParameters": {
     "ApiKeyAuthParameters": {
      "ApiKeyName": "Authorization",
      "ApiKeyValue": "{{resolve:secretsmanager:arn:aws:secretsmanager:eu-central-1:109936831616:secret:/vault/slack-integration:SecretString:botUserToken::}}"
     },
     "InvocationHttpParameters": {
      "HeaderParameters": [
       {
        "IsValueSecret": false,
        "Key": "Content-Type",
        "Value": "application/json;charset=utf-8"
       }
      ]
     }
    },
    "AuthorizationType": "API_KEY",
    "Description": "API connection to Slack workspace"
   },
   "Metadata": {
    "aws:cdk:path": "OfdMainServiceStack/OriginSlackNotification/SlackConnection/Connection",
    "checkov": {
     "skip": [
      {
       "id": "CKV_SECRET_6",
       "comment": "False positive: it thinks \"Authorization\" (as a word) has too much entropy and is a secret"
      }
     ]
    }
   }
  }

I'm using $.Metadata.checkov.skip in other places as well, but for CKV_SECRET_6 that doesn't work. Also I cannot add comments to JSON obviously, like you can with terraform HCL or something.

tsmithv11 commented 4 months ago

Hi folks, you can increase the entropy level required to flag findings using the env variable CHECKOV_ENTROPY_KEYWORD_LIMIT. CHECKOV_ENTROPY_KEYWORD_LIMIT=3.6 removes many of these FPs. You can also use --skip-check to skip this policy altogether.

Saarett commented 4 months ago

Thanks, @tsmithv11. I’ll leave this issue open for a while to see if there’s more engagement on this matter.

Joao23-sudo commented 4 months ago

Guys, what's up?

I got the same error when trying to upload a resource to Azure, in this case I am trying to upload a Function App, where I put 2 values to fetch from Application Insights, the instrumentation Key and the Connection String of the same, but the value presented I do not know where it might be taken from.

Error message:

Guideline: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/secrets-policies/secrets-policy-index/git-secrets-6 671 | "password": "ckMdPC**"

The resolution shown in the link I don't know if it makes sense for my problem in question, if anyone has any comments on it, I'd be grateful.

Possible solution presented by Chekov:

resource "aws_glue_connection" "examplevpc" { connection_properties = { JDBC_CONNECTION_URL = "jdbc:mysql://${aws_rds_cluster.example.endpoint}/exampledatabase"

What he calls Password doesn't make much sense, because I can't find this value in any of the resources or in the Plan section of my code.

The option I'm trying to find is to SKIP this policy, but I'd like to understand where this result comes from :)

This also happens when I set the value default sensitive = true.

Saarett commented 4 months ago

Hi @Joao23-sudo , I hope you find @tsmithv11 's response helpful

akzov commented 4 months ago

I'm guessing this is a new default, my example is azurerm_automation_source_control has a value token_type = "PersonalAccessToken" that triggers this but somehow token = "value" doesn't.

This wasn't an issue last week.

serbezki commented 3 months ago

I just passed CHECKOV_ENTROPY_KEYWORD_LIMIT=3.6 as an env var while running and nothing changes - still a bunch of false positives. I'm going to go with local silences in code, but I find it silly that I have to do that with strings like "MyProjectDF".

AlexBurkey commented 1 month ago

Reporting a false negative: Check fails (correctly): datadog_api_key = "redacted"

Check passes (incorrectly): datadog_app_key = "redacted-but-same-value"

Passing in CHECKOV_ENTROPY_KEYWORD_LIMIT=3.6 as an env variable did not change the results.