Detection of Kubernetes Secrets

[dinvlad]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

It would be great to be able to detect Kubernetes Secrets, provided it doesn't generate a lot of noise.

Problem to be Addressed

Currently, there doesn't appear to be a generic Kubernetes Secrets detector. I wonder if we could add a pattern for it.

Description of the Preferred Solution

We could add a pattern based on YAML representation, something like:

apiVersion: v1
kind: Secret
metadata:
  .*
  name: .*
(data|stringData):
  \w+: .*

Or would this approach generate a lot of false-positives for "test" credentials?

Additional Context

References

[mac2000]

Does Kubernetes secrets themselves matter?

I mean that it is just yet another file with a YAML extension.

I wish Trufflehog to find the database connection string no matter where it is saved in appsettings.json, application.properties, or secrets.yaml

Also try to imagine that such detector exists and finding such secrets - how should it verify them?

[dinvlad]

I don’t think we should verify these, we just need to see that there’s non-trivial data stored in the template.

Re general-purpose database connection string agreed, though for example with JDBC detector we’ve been getting some undesired noise.. https://github.com/trufflesecurity/trufflehog/tree/main/pkg/detectors/jdbc

I do think here we should just focus on detecting a base64-encoded value within the secret template, without necessarily trying to determine what it is (though that would be cool!)