Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
Ensure that security schemes don’t allow cleartext credentials over unencrypted channel - version 3.x.y files
Currently, type: httpandscheme: basic fail this check, which is good. Failing http+basic ensures that cleartext credentials aren't transmitted at all, but it doesn't check whether the channel is unencrypted (http vs. https), which the check doesn't seem to accomplish at all (separate issue). But type: httpandscheme: bearer uses opaque tokens that aren't considered cleartext, and thus should pass this check but currently fails.
To be clear type: https isn't a valid type, those are the possible type values:
[...] where each scheme can be of type:
http – for Basic, Bearer and other HTTP authentications schemes
This is a false-positive and thus existing code should work fine and pass. If people disabled CKV_OPENAPI_3 to bypass this check then they could re-enable it after this PR is merged.
Checklist:
[x] My code follows the style guidelines of this project
[x] I have performed a self-review of my own code
[x] I have commented my code, particularly in hard-to-understand areas
[ ] I have made corresponding changes to the documentation
[x] I have added tests that prove my feature, policy, or fix is effective and works
[ ] New and existing tests pass locally with my changes
[x] Any dependent changes have been merged and published in downstream modules
Note: all tests are passing except 9 of them that complain about the aiodns library. Not sure how to solve that:
Description
Currently:
type: http
withscheme: basic
failstype: http
withscheme: bearer
(or anything else) passesAfter this change:
type: http
withscheme: basic
failstype: http
withscheme: bearer
(or anything else) passesFixes #6172
Description
Let's restate the purpose of CKV_OPENAPI_3:
Currently,
type: http
andscheme: basic
fail this check, which is good. Failing http+basic ensures that cleartext credentials aren't transmitted at all, but it doesn't check whether the channel is unencrypted (http vs. https), which the check doesn't seem to accomplish at all (separate issue). Buttype: http
andscheme: bearer
uses opaque tokens that aren't considered cleartext, and thus should pass this check but currently fails.To be clear
type: https
isn't a valid type, those are the possibletype
values:Source: https://swagger.io/docs/specification/authentication/
Fix
This is a false-positive and thus existing code should work fine and pass. If people disabled CKV_OPENAPI_3 to bypass this check then they could re-enable it after this PR is merged.
Checklist:
Note: all tests are passing except 9 of them that complain about the
aiodns
library. Not sure how to solve that: