environment variable with secrets

[raulcabello]

environment variable with secrets looks for confidential credentials in all container env variables. It is checking all the regex in the DefaultRules

Create a policy that checks most common confidential credentials are not passed as environment variables. We can use the following projects instead of writing our own regular expressions:

• https://github.com/odomojuli/RegExAPI
• https://github.com/h33tlit/secret-regex-list

• https://github.com/neuvector/neuvector/blob/main/share/scan/secrets/secrets.go#L70-L245

How the policy works

This policy checks all environment variables in all containers, and rejects pods that passes confidential credentials as environment variables. This confidential credentials includes:

• EC|PGP|DSA|RSA|OPENSSH|SSH2 private keys
• PuTTY-User-Key-File-2
• XML Signature Private Key
• AWS manager id
• AWS MWS key
• Facebook client secret
• Facebook endpoint secret
• Facebook app secret
• Twitter client id
• Twitter secret key
• Github secret
• Square Product id
• Square oath secret
• Stripe access key
• Slack api token
• LinkedIn client id
• LinkedIn secret key
• Google api key
• Sendgrid api key
• Twilio api key
• Heroku api key
• Mailchimp api key
• Mailgun api key

Settings

This policy has no configurable settings.

The user is responsible to configure the policy defining the resources targeted by the policy. Otherwise, the policy will not be able to run. The current supported resources are listed in the metadata.yml file. See more information about how to configure a policy in the Kubewarden documentation.

Examples

The following pod will be rejected by this policy

apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  runtimeClassName: containerd-runc
  containers:
  - name: nginx
    image: nginx
     env:
    - name: PRIVATE
      value: |
         -----BEGIN RSA PRIVATE KEY-----
         MIICXAIBAAKBgQCaEyi/fU0m3HNLvM3lEiSG008FFqBpyK4iBf1EvPhGP9gNR85p
         rrIeJ7d24jYB3SUUoa3VhHdaIRaaaaapy9YpzZ72lkusEuOhPWj5rCFntP2DoSj
         dLh0zJnupjoQTwqmVoLtk/G7UVZWSssWxHbV8iF9sHIjL3aAucZxBJM83QIDAQAB
         AoGAa0FnHlZlvOW9xT17vzkwAENdQNeNd9ZhkgHFW3KJCq4rAqO4B027ZM6VIsc6
         fXWq+H/MeVSrmSxqU9BXj7Dafa00Y1YUHQ/SNjCMHkoAUvQnxGRhuzOFwQf8I2Wa
         8bKYjhC2AWiuPZ9pwfza7rbLVd4ZEk8k0CIWx7A3O+SD2+kCQQDvCEtTSssV2GkK
         LVjHyENB4RBMp5p7aUEPWptm9a0cdk7w0Sc/hpi2Ndpf0pYy0nkq5YtZhkc6HOSq
         XuklSZ+3AkEApQMDUkdOKBVyycnFJ7xt7T7k7QwpTJ77GZePqP5t6vR+T3CDqdBL
         ZBsOPyKt69O3tessttttttttttttttttHFsCGgCwJBAON/6mlI60dMZJTKGhBzWwgNlDzQ
         3CgPQlvBqdxxgSRwuatb9VXx3dC2KrQ+srOGPMqGFH3NXmdB7qT0lkPl8bsCQF8e
         d4GsXN86TesIBkA7nFpQEQKcKgpi8nf0J/nQgGgZ+92rDBqNWYghGHtIcF0qtCuN
         Tgz6mfixf/Xog75eA7UCQDI+RZ93ru76G2bTG1xXaV8FgzvcVO4Rr6ezbNLMC+rj
         QyNaFe1mgRram3qqaw+ErLVq1opQaT3KPMkkTRpywjQ=
         -----END RSA PRIVATE KEY-----

[flavio]

I would have preferred to have a library (the programming language doesn't matter) that provides these regular expressions instead of relying on contents from readme files. I would just love to have the list of supported services increase in the future by just updating to a library maintained by someone :)

I searched a bit and I found:

• https://github.com/newrelic/rusty-hog: written in Rust. NewRelic gives me a lot of trusty vibes. We could see how things are done by them and, if we like the approach, propose to create a crate which holds all this regular expressions. This crate would be used by their cli tools + anybody else in the Rust ecosystem (like our policy). BTW, we could also take inspiration by how the allow users to add extra scanning rules
• https://github.com/daffainfo/Git-Secret: written in Go, which makes it easier to be integrated into another Go project. However I don't think this is highly maintained

[viccuad]

+1 to rusty-hog!

[raulcabello]

All their regular expressions are defined in the default_rules.json which can be easily replaced with a custom json. Rusty-hog doesn't support scanning a string, so we would need to implement this (or create a temp file as they do support scanning files) I think it would be better to just reuse their json and allow users to override it in the settings.

[flavio]

Let's start by taking their regexps. I propose to copy their default_rules.json file and add credits at the top of it. We can setup a GitHub actions that detects changes done to this file and opens a PR with an updated version of the file. This can be done with the updatecli tool from @olblak.

As for the user-defined settings, let's leave them for later. I would ship an initial version of the policy that has a list of hard coded regexps.

[olblak]

tup a GitHub actions that detects changes done to this file and opens a PR with an updated version of the file. This can be done with the updatecli tool from @olblak.

Sure I can pair with someone, it shouldn't take long