search

stacscan / stacs-ci

A set of modules to enable integration of STACS with commonly used CI / CD systems
BSD 3-Clause "New" or "Revised" License
18 stars 0 forks source link

[0.1.5] Update to the latest STACS container. #9

Closed darkarnium closed 2 years ago

darkarnium commented 2 years ago

Overview

PLEASE NOTE: There is a potentially breaking change as part of this update, as the Stripe rule has been relocated under SaaS. This modifies its reference to now be CredentialSaaSStripeAPI. Any previously suppressed findings for this rule will need to be updated to reflect this new identifier.

🛠️ New Features

🍩 Improvements

🐛 Bug Fixes

github-actions[bot] commented 2 years ago

:x: STACS Finding

STACS has found a potential static token or credential at line 1 of tests/fixtures/ci/credential.txt due to potential AWS access key found.

Finding Sample ``` ...aws_access_key_id=AKIAZJ3PDTI2R9JLXCTH aws_secret_key_id=39... ```

If this credential is valid it should be immediately revoked, and the cause of this credential making it into this file investigated.

If this finding is against a 'fake' credential, such as in a test fixture, this finding can be suppressed using an ignore list in the root of this repository. A basic ignore list entry can be found below which may be suitable, otherwise, please refer to the STACS documentation

Example Suppression ```json { "ignore": [ { "pattern": "tests/fixtures/ci/credential\\.txt$", "reason": "A reason for this suppression" } ], "include": [] } ```

[V:0.4.4, R:CredentialCloudAWSAccessKey, F:ddf2c31a0f0978a5f4f3dc21c84d0f2dfd4dc135]

github-actions[bot] commented 2 years ago

:x: STACS Finding

STACS has found a potential static token or credential at line 2 of tests/fixtures/ci/credential.txt due to potential AWS Secret key found.

Finding Sample ``` ...TH aws_secret_key_id=39isgIVkaUNhaUFZz+U3ENRpXnAmfh/KbPlUIWiQ... ```

If this credential is valid it should be immediately revoked, and the cause of this credential making it into this file investigated.

If this finding is against a 'fake' credential, such as in a test fixture, this finding can be suppressed using an ignore list in the root of this repository. A basic ignore list entry can be found below which may be suitable, otherwise, please refer to the STACS documentation

Example Suppression ```json { "ignore": [ { "pattern": "tests/fixtures/ci/credential\\.txt$", "reason": "A reason for this suppression" } ], "include": [] } ```

[V:0.4.4, R:CredentialCloudAWSSecretKey, F:9814f36e9fb74217d415b902639de028644e56ad]