Closed markdboyd closed 10 months ago
The generic-credential rule was flagging lines as containing secrets like these due to the words keyword, key, or hostname:
generic-credential
keyword
key
hostname
https://github.com/cloud-gov/logsearch-for-cloudfoundry/blob/develop/jobs/upload-kibana-objects/templates/kibana-objects/index-pattern/logs.json.erb#L221 https://github.com/cloud-gov/logsearch-for-cloudfoundry/blob/develop/jobs/upload-kibana-objects/templates/kibana-objects/search/app-all-errors.json.erb#L29 https://github.com/cloud-gov/logsearch-for-cloudfoundry/blob/develop/jobs/upload-kibana-objects/templates/kibana-objects/index-pattern/logs.json.erb#L134
Obviously these lines don't actually contain secrets, so I updated the rule to ignore matched secrets that match these regexes:
\"type\":\"keyword\"
\"name\":\".*hostname\"
We are making legitimate exceptions to one of our rules for detecting secrets
Changes proposed in this pull request:
The
generic-credential
rule was flagging lines as containing secrets like these due to the wordskeyword
,key
, orhostname
:https://github.com/cloud-gov/logsearch-for-cloudfoundry/blob/develop/jobs/upload-kibana-objects/templates/kibana-objects/index-pattern/logs.json.erb#L221 https://github.com/cloud-gov/logsearch-for-cloudfoundry/blob/develop/jobs/upload-kibana-objects/templates/kibana-objects/search/app-all-errors.json.erb#L29 https://github.com/cloud-gov/logsearch-for-cloudfoundry/blob/develop/jobs/upload-kibana-objects/templates/kibana-objects/index-pattern/logs.json.erb#L134
Obviously these lines don't actually contain secrets, so I updated the rule to ignore matched secrets that match these regexes:
\"type\":\"keyword\"
, so containing `"type": "keyword" in the matched secret\"name\":\".*hostname\"
, so containing `"name":"security considerations
We are making legitimate exceptions to one of our rules for detecting secrets