Unverified Commit bb200fa6 authored by hadar-co's avatar hadar-co Committed by GitHub
Browse files

feat: add secret rules logic (#812)


* add secret rules logic

* feat: use alias for secret rule logic

* feat: use alias for secret rule logic

* test: remove new secrets rules from junit expected output

* revert my last change

* merge main

* test: fix rule 71 fail unit test

* test: fix JUnit verbose test

* add comment
Co-authored-by: default avatarRoy Hadad <roy@datree.io>
Showing with 520 additions and 7 deletions
+520 -7
......@@ -13,6 +13,41 @@ aliases:
- ReplicaSet
- CronJob
- Job
- &notKindSecret
properties:
kind:
not:
enum:
- Secret
# The following alias is used to prohibit a string from matching a given regex anywhere in the manifest
- &recursiveDontAllowValue
type: object
additionalProperties:
if:
type: object
then:
"$ref": "#"
else:
if:
type: array
then:
items:
if:
type: object
then:
"$ref": "#"
else:
if:
type: string
then:
not:
"$ref": "#/definitions/regexes"
else:
if:
type: string
then:
not:
"$ref": "#/definitions/regexes"
rules:
- id: 1
name: Ensure each container image has a pinned (tag) version
......@@ -1916,17 +1951,14 @@ rules:
type: array
items:
$ref: "#/$defs/securityContextSeccomp"
allOf:
- $ref: "#/definitions/seccompExplicit"
- $ref: "#/definitions/seccompPatternInSpec"
- $ref: "#/definitions/seccompPatternInContainer"
additionalProperties:
$ref: "#"
items:
$ref: "#"
$defs:
securityContextSeccompReq:
required:
......@@ -1954,3 +1986,262 @@ rules:
enum:
- "unconfined"
- "Unconfined"
- id: 62
name: Prevent exposed BitBucket secrets in objects
uniqueName: ALL_EXPOSED_SECRET_BITBUCKET
enabledByDefault: True
documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-bitbucket"
messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
category: Secrets
schema:
definitions:
regexes:
anyOf:
- pattern: (?:bitbucket)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)
if: *notKindSecret
then: *recursiveDontAllowValue
- id: 63
name: Prevent exposed Datadog secrets in objects
uniqueName: ALL_EXPOSED_SECRET_DATADOG
enabledByDefault: True
documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-datadog"
messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
category: Secrets
schema:
definitions:
regexes:
anyOf:
- pattern: (?:datadog)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{40})(?:['|\"|\n|\r|\s|\x60|;]|$)
if: *notKindSecret
then: *recursiveDontAllowValue
- id: 64
name: Prevent exposed GCP secrets in objects
uniqueName: ALL_EXPOSED_SECRET_GCP
enabledByDefault: True
documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-gcp"
messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
category: Secrets
schema:
definitions:
regexes:
anyOf:
- pattern: \b(AIza[0-9A-Za-z\\-_]{35})(?:['|\"|\n|\r|\s|\x60|;]|$)
if: *notKindSecret
then: *recursiveDontAllowValue
- id: 65
name: Prevent exposed AWS secrets in objects
uniqueName: ALL_EXPOSED_SECRET_AWS
enabledByDefault: True
documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-aws"
messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
category: Secrets
schema:
definitions:
regexes:
anyOf:
- pattern: (A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}
if: *notKindSecret
then: *recursiveDontAllowValue
- id: 66
name: Prevent exposed GitHub secrets in objects
uniqueName: ALL_EXPOSED_SECRET_GITHUB
enabledByDefault: True
documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-github"
messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
category: Secrets
schema:
definitions:
regexes:
anyOf:
- pattern: (ghu|ghs)_[0-9a-zA-Z]{36}
- pattern: gho_[0-9a-zA-Z]{36}
- pattern: ghp_[0-9a-zA-Z]{36}
- pattern: ghr_[0-9a-zA-Z]{36}
if: *notKindSecret
then: *recursiveDontAllowValue
- id: 67
name: Prevent exposed GitLab secrets in objects
uniqueName: ALL_EXPOSED_SECRET_GITLAB
enabledByDefault: True
documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-gitlab"
messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
category: Secrets
schema:
definitions:
regexes:
anyOf:
- pattern: glpat-[0-9a-zA-Z\-\_]{20}
if: *notKindSecret
then: *recursiveDontAllowValue
- id: 68
name: Prevent exposed Terraform secrets in objects
uniqueName: ALL_EXPOSED_SECRET_TERRAFORM
enabledByDefault: True
documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-terraform"
messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
category: Secrets
schema:
definitions:
regexes:
anyOf:
- pattern: '[a-z0-9]{14}\.atlasv1\.[a-z0-9\-_=]{60,70}'
if: *notKindSecret
then: *recursiveDontAllowValue
- id: 69
name: Prevent exposed Heroku secrets in objects
uniqueName: ALL_EXPOSED_SECRET_HEROKU
enabledByDefault: True
documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-heroku"
messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
category: Secrets
schema:
definitions:
regexes:
anyOf:
- pattern: (?:heroku)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$)
if: *notKindSecret
then: *recursiveDontAllowValue
- id: 70
name: Prevent exposed JWT secrets in objects
uniqueName: ALL_EXPOSED_SECRET_JWT
enabledByDefault: True
documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-jwt"
messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
category: Secrets
schema:
definitions:
regexes:
anyOf:
- pattern: \b(ey[0-9a-z]{30,34}\.ey[0-9a-z-\/_]{30,500}\.[0-9a-zA-Z-\/_]{10,200})(?:['|\"|\n|\r|\s|\x60|;]|$)
if: *notKindSecret
then: *recursiveDontAllowValue
- id: 71
name: Prevent exposed LaunchDarkly secrets in objects
uniqueName: ALL_EXPOSED_SECRET_LAUNCHDARKLY
enabledByDefault: True
documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-launchdarkly"
messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
category: Secrets
schema:
definitions:
regexes:
anyOf:
- pattern: (?:launchdarkly)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{40})(?:['|\"|\n|\r|\s|\x60|;]|$)
if: *notKindSecret
then: *recursiveDontAllowValue
- id: 72
name: Prevent exposed New Relic secrets in objects
uniqueName: ALL_EXPOSED_SECRET_NEWRELIC
enabledByDefault: True
documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-newrelic"
messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
category: Secrets
schema:
definitions:
regexes:
anyOf:
- pattern: (?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}(NRJS-[a-f0-9]{19})(?:['|\"|\n|\r|\s|\x60|;]|$)
- pattern: (?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)
- pattern: (?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}(NRAK-[a-z0-9]{27})(?:['|\"|\n|\r|\s|\x60|;]|$)
if: *notKindSecret
then: *recursiveDontAllowValue
- id: 73
name: Prevent exposed npm secrets in objects
uniqueName: ALL_EXPOSED_SECRET_NPM
enabledByDefault: True
documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-npm"
messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
category: Secrets
schema:
definitions:
regexes:
anyOf:
- pattern: \b(npm_[a-z0-9]{36})(?:['|\"|\n|\r|\s|\x60|;]|$)
if: *notKindSecret
then: *recursiveDontAllowValue
- id: 74
name: Prevent exposed Okta secrets in objects
uniqueName: ALL_EXPOSED_SECRET_OKTA
enabledByDefault: True
documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-okta"
messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
category: Secrets
schema:
definitions:
regexes:
anyOf:
- pattern: (?:okta)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{42})(?:['|\"|\n|\r|\s|\x60|;]|$)
if: *notKindSecret
then: *recursiveDontAllowValue
- id: 75
name: Prevent exposed Stripe secrets in objects
uniqueName: ALL_EXPOSED_SECRET_STRIPE
enabledByDefault: True
documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-stripe"
messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
category: Secrets
schema:
definitions:
regexes:
anyOf:
- pattern: (sk|pk)_(test|live)_[0-9a-z]{10,32}
if: *notKindSecret
then: *recursiveDontAllowValue
- id: 76
name: Prevent exposed SumoLogic secrets in objects
uniqueName: ALL_EXPOSED_SECRET_SUMOLOGIC
enabledByDefault: True
documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-sumologic"
messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
category: Secrets
schema:
definitions:
regexes:
anyOf:
- pattern: (?:sumo)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{14})(?:['|\"|\n|\r|\s|\x60|;]|$)
- pattern: (?:sumo)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)
if: *notKindSecret
then: *recursiveDontAllowValue
- id: 77
name: Prevent exposed Twilio secrets in objects
uniqueName: ALL_EXPOSED_SECRET_TWILIO
enabledByDefault: True
documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-twilio"
messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
category: Secrets
schema:
definitions:
regexes:
anyOf:
- pattern: SK[0-9a-fA-F]{32}
if: *notKindSecret
then: *recursiveDontAllowValue
- id: 78
name: Prevent exposed Vault secrets in objects
uniqueName: ALL_EXPOSED_SECRET_VAULT
enabledByDefault: True
documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-vault"
messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
category: Secrets
schema:
definitions:
regexes:
anyOf:
- pattern: \b(hvb\.[a-z0-9_-]{138,212})(?:['|\"|\n|\r|\s|\x60|;]|$)
- pattern: \b(hvs\.[a-z0-9_-]{90,100})(?:['|\"|\n|\r|\s|\x60|;]|$)
if: *notKindSecret
then: *recursiveDontAllowValue
- id: 79
name: Prevent exposed private keys in objects
uniqueName: ALL_EXPOSED_SECRET_PRIVATEKEY
enabledByDefault: True
documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-privatekey"
messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
category: Secrets
schema:
definitions:
regexes:
anyOf:
- pattern: (?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY-----[\s\S-]*KEY----
if: *notKindSecret
then: *recursiveDontAllowValue
......@@ -10,15 +10,15 @@
},
"rules": {
"type": "array",
"minItems": 61,
"maxItems": 61,
"minItems": 79,
"maxItems": 79,
"items": {
"type": "object",
"properties": {
"id": {
"type": "number",
"minimum": 1,
"maximum": 61
"maximum": 79
},
"name": {
"type": "string",
......@@ -53,6 +53,7 @@
"Other",
"Custom",
"Argo",
"Secrets",
"NSA"
]
},
......
......@@ -30,6 +30,24 @@
<testcase name="Prevent containers from having root access capabilities" classname="CONTAINERS_INCORRECT_PRIVILEGED_VALUE_TRUE"></testcase>
<testcase name="Prevent CronJob from executing jobs concurrently" classname="CRONJOB_MISSING_CONCURRENCYPOLICY_KEY"></testcase>
<testcase name="Ensure resource has a configured name" classname="RESOURCE_MISSING_NAME"></testcase>
<testcase name="Prevent exposed BitBucket secrets in objects" classname="ALL_EXPOSED_SECRET_BITBUCKET"></testcase>
<testcase name="Prevent exposed Datadog secrets in objects" classname="ALL_EXPOSED_SECRET_DATADOG"></testcase>
<testcase name="Prevent exposed GCP secrets in objects" classname="ALL_EXPOSED_SECRET_GCP"></testcase>
<testcase name="Prevent exposed AWS secrets in objects" classname="ALL_EXPOSED_SECRET_AWS"></testcase>
<testcase name="Prevent exposed GitHub secrets in objects" classname="ALL_EXPOSED_SECRET_GITHUB"></testcase>
<testcase name="Prevent exposed GitLab secrets in objects" classname="ALL_EXPOSED_SECRET_GITLAB"></testcase>
<testcase name="Prevent exposed Terraform secrets in objects" classname="ALL_EXPOSED_SECRET_TERRAFORM"></testcase>
<testcase name="Prevent exposed Heroku secrets in objects" classname="ALL_EXPOSED_SECRET_HEROKU"></testcase>
<testcase name="Prevent exposed JWT secrets in objects" classname="ALL_EXPOSED_SECRET_JWT"></testcase>
<testcase name="Prevent exposed LaunchDarkly secrets in objects" classname="ALL_EXPOSED_SECRET_LAUNCHDARKLY"></testcase>
<testcase name="Prevent exposed New Relic secrets in objects" classname="ALL_EXPOSED_SECRET_NEWRELIC"></testcase>
<testcase name="Prevent exposed npm secrets in objects" classname="ALL_EXPOSED_SECRET_NPM"></testcase>
<testcase name="Prevent exposed Okta secrets in objects" classname="ALL_EXPOSED_SECRET_OKTA"></testcase>
<testcase name="Prevent exposed Stripe secrets in objects" classname="ALL_EXPOSED_SECRET_STRIPE"></testcase>
<testcase name="Prevent exposed SumoLogic secrets in objects" classname="ALL_EXPOSED_SECRET_SUMOLOGIC"></testcase>
<testcase name="Prevent exposed Twilio secrets in objects" classname="ALL_EXPOSED_SECRET_TWILIO"></testcase>
<testcase name="Prevent exposed Vault secrets in objects" classname="ALL_EXPOSED_SECRET_VAULT"></testcase>
<testcase name="Prevent exposed private keys in objects" classname="ALL_EXPOSED_SECRET_PRIVATEKEY"></testcase>
</testsuite>
<testsuite name="File2">
<testcase name="Ensure each container image has a pinned (tag) version" classname="CONTAINERS_MISSING_IMAGE_VALUE_VERSION"></testcase>
......@@ -53,6 +71,24 @@
<testcase name="Prevent containers from having root access capabilities" classname="CONTAINERS_INCORRECT_PRIVILEGED_VALUE_TRUE"></testcase>
<testcase name="Prevent CronJob from executing jobs concurrently" classname="CRONJOB_MISSING_CONCURRENCYPOLICY_KEY"></testcase>
<testcase name="Ensure resource has a configured name" classname="RESOURCE_MISSING_NAME"></testcase>
<testcase name="Prevent exposed BitBucket secrets in objects" classname="ALL_EXPOSED_SECRET_BITBUCKET"></testcase>
<testcase name="Prevent exposed Datadog secrets in objects" classname="ALL_EXPOSED_SECRET_DATADOG"></testcase>
<testcase name="Prevent exposed GCP secrets in objects" classname="ALL_EXPOSED_SECRET_GCP"></testcase>
<testcase name="Prevent exposed AWS secrets in objects" classname="ALL_EXPOSED_SECRET_AWS"></testcase>
<testcase name="Prevent exposed GitHub secrets in objects" classname="ALL_EXPOSED_SECRET_GITHUB"></testcase>
<testcase name="Prevent exposed GitLab secrets in objects" classname="ALL_EXPOSED_SECRET_GITLAB"></testcase>
<testcase name="Prevent exposed Terraform secrets in objects" classname="ALL_EXPOSED_SECRET_TERRAFORM"></testcase>
<testcase name="Prevent exposed Heroku secrets in objects" classname="ALL_EXPOSED_SECRET_HEROKU"></testcase>
<testcase name="Prevent exposed JWT secrets in objects" classname="ALL_EXPOSED_SECRET_JWT"></testcase>
<testcase name="Prevent exposed LaunchDarkly secrets in objects" classname="ALL_EXPOSED_SECRET_LAUNCHDARKLY"></testcase>
<testcase name="Prevent exposed New Relic secrets in objects" classname="ALL_EXPOSED_SECRET_NEWRELIC"></testcase>
<testcase name="Prevent exposed npm secrets in objects" classname="ALL_EXPOSED_SECRET_NPM"></testcase>
<testcase name="Prevent exposed Okta secrets in objects" classname="ALL_EXPOSED_SECRET_OKTA"></testcase>
<testcase name="Prevent exposed Stripe secrets in objects" classname="ALL_EXPOSED_SECRET_STRIPE"></testcase>
<testcase name="Prevent exposed SumoLogic secrets in objects" classname="ALL_EXPOSED_SECRET_SUMOLOGIC"></testcase>
<testcase name="Prevent exposed Twilio secrets in objects" classname="ALL_EXPOSED_SECRET_TWILIO"></testcase>
<testcase name="Prevent exposed Vault secrets in objects" classname="ALL_EXPOSED_SECRET_VAULT"></testcase>
<testcase name="Prevent exposed private keys in objects" classname="ALL_EXPOSED_SECRET_PRIVATEKEY"></testcase>
</testsuite>
<testsuite name="policySummary">
<properties>
......
......@@ -34,6 +34,24 @@
<testcase name="Prevent containers from having root access capabilities" classname="CONTAINERS_INCORRECT_PRIVILEGED_VALUE_TRUE"></testcase>
<testcase name="Prevent CronJob from executing jobs concurrently" classname="CRONJOB_MISSING_CONCURRENCYPOLICY_KEY"></testcase>
<testcase name="Ensure resource has a configured name" classname="RESOURCE_MISSING_NAME"></testcase>
<testcase name="Prevent exposed BitBucket secrets in objects" classname="ALL_EXPOSED_SECRET_BITBUCKET"></testcase>
<testcase name="Prevent exposed Datadog secrets in objects" classname="ALL_EXPOSED_SECRET_DATADOG"></testcase>
<testcase name="Prevent exposed GCP secrets in objects" classname="ALL_EXPOSED_SECRET_GCP"></testcase>
<testcase name="Prevent exposed AWS secrets in objects" classname="ALL_EXPOSED_SECRET_AWS"></testcase>
<testcase name="Prevent exposed GitHub secrets in objects" classname="ALL_EXPOSED_SECRET_GITHUB"></testcase>
<testcase name="Prevent exposed GitLab secrets in objects" classname="ALL_EXPOSED_SECRET_GITLAB"></testcase>
<testcase name="Prevent exposed Terraform secrets in objects" classname="ALL_EXPOSED_SECRET_TERRAFORM"></testcase>
<testcase name="Prevent exposed Heroku secrets in objects" classname="ALL_EXPOSED_SECRET_HEROKU"></testcase>
<testcase name="Prevent exposed JWT secrets in objects" classname="ALL_EXPOSED_SECRET_JWT"></testcase>
<testcase name="Prevent exposed LaunchDarkly secrets in objects" classname="ALL_EXPOSED_SECRET_LAUNCHDARKLY"></testcase>
<testcase name="Prevent exposed New Relic secrets in objects" classname="ALL_EXPOSED_SECRET_NEWRELIC"></testcase>
<testcase name="Prevent exposed npm secrets in objects" classname="ALL_EXPOSED_SECRET_NPM"></testcase>
<testcase name="Prevent exposed Okta secrets in objects" classname="ALL_EXPOSED_SECRET_OKTA"></testcase>
<testcase name="Prevent exposed Stripe secrets in objects" classname="ALL_EXPOSED_SECRET_STRIPE"></testcase>
<testcase name="Prevent exposed SumoLogic secrets in objects" classname="ALL_EXPOSED_SECRET_SUMOLOGIC"></testcase>
<testcase name="Prevent exposed Twilio secrets in objects" classname="ALL_EXPOSED_SECRET_TWILIO"></testcase>
<testcase name="Prevent exposed Vault secrets in objects" classname="ALL_EXPOSED_SECRET_VAULT"></testcase>
<testcase name="Prevent exposed private keys in objects" classname="ALL_EXPOSED_SECRET_PRIVATEKEY"></testcase>
</testsuite>
<testsuite name="File2">
<testcase name="Ensure each container image has a pinned (tag) version" classname="CONTAINERS_MISSING_IMAGE_VALUE_VERSION"></testcase>
......@@ -57,6 +75,24 @@
<testcase name="Prevent containers from having root access capabilities" classname="CONTAINERS_INCORRECT_PRIVILEGED_VALUE_TRUE"></testcase>
<testcase name="Prevent CronJob from executing jobs concurrently" classname="CRONJOB_MISSING_CONCURRENCYPOLICY_KEY"></testcase>
<testcase name="Ensure resource has a configured name" classname="RESOURCE_MISSING_NAME"></testcase>
<testcase name="Prevent exposed BitBucket secrets in objects" classname="ALL_EXPOSED_SECRET_BITBUCKET"></testcase>
<testcase name="Prevent exposed Datadog secrets in objects" classname="ALL_EXPOSED_SECRET_DATADOG"></testcase>
<testcase name="Prevent exposed GCP secrets in objects" classname="ALL_EXPOSED_SECRET_GCP"></testcase>
<testcase name="Prevent exposed AWS secrets in objects" classname="ALL_EXPOSED_SECRET_AWS"></testcase>
<testcase name="Prevent exposed GitHub secrets in objects" classname="ALL_EXPOSED_SECRET_GITHUB"></testcase>
<testcase name="Prevent exposed GitLab secrets in objects" classname="ALL_EXPOSED_SECRET_GITLAB"></testcase>
<testcase name="Prevent exposed Terraform secrets in objects" classname="ALL_EXPOSED_SECRET_TERRAFORM"></testcase>
<testcase name="Prevent exposed Heroku secrets in objects" classname="ALL_EXPOSED_SECRET_HEROKU"></testcase>
<testcase name="Prevent exposed JWT secrets in objects" classname="ALL_EXPOSED_SECRET_JWT"></testcase>
<testcase name="Prevent exposed LaunchDarkly secrets in objects" classname="ALL_EXPOSED_SECRET_LAUNCHDARKLY"></testcase>
<testcase name="Prevent exposed New Relic secrets in objects" classname="ALL_EXPOSED_SECRET_NEWRELIC"></testcase>
<testcase name="Prevent exposed npm secrets in objects" classname="ALL_EXPOSED_SECRET_NPM"></testcase>
<testcase name="Prevent exposed Okta secrets in objects" classname="ALL_EXPOSED_SECRET_OKTA"></testcase>
<testcase name="Prevent exposed Stripe secrets in objects" classname="ALL_EXPOSED_SECRET_STRIPE"></testcase>
<testcase name="Prevent exposed SumoLogic secrets in objects" classname="ALL_EXPOSED_SECRET_SUMOLOGIC"></testcase>
<testcase name="Prevent exposed Twilio secrets in objects" classname="ALL_EXPOSED_SECRET_TWILIO"></testcase>
<testcase name="Prevent exposed Vault secrets in objects" classname="ALL_EXPOSED_SECRET_VAULT"></testcase>
<testcase name="Prevent exposed private keys in objects" classname="ALL_EXPOSED_SECRET_PRIVATEKEY"></testcase>
</testsuite>
<testsuite name="policySummary">
<properties>
......
......@@ -19,4 +19,3 @@ spec:
type: unconfined
ports:
- containerPort: 80
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: bitbucketr=>yf8gf86gcdz1e4df2efnbtmcpzwivk1a
image: nginx:1.14.2
ports:
- containerPort: 80
\ No newline at end of file
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
\ No newline at end of file
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: datadog5x<=```"pcxx9wi21i8sh4na1sdl6488j79fsemasb40i10p
image: nginx:1.14.2
ports:
- containerPort: 80
\ No newline at end of file
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
\ No newline at end of file
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: AIzap7aDlsMO66URpaF]dTivLPxdlGNp003ixSa
image: nginx:1.14.2
ports:
- containerPort: 80
\ No newline at end of file
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
\ No newline at end of file
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: AGPAQPRC2KYLEMAQI3F6
image: nginx:1.14.2
ports:
- containerPort: 80
\ No newline at end of file
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
\ No newline at end of file
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: gho_fq2Umv92EQx02Gdc7Haias0UqKmq8xIeeund
image: nginx:1.14.2
ports:
- containerPort: 80
\ No newline at end of file
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
\ No newline at end of file
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: glpat-37HjBcYY9Qb7RNnqm6wJ
image: nginx:1.14.2
ports:
- containerPort: 80
\ No newline at end of file
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
\ No newline at end of file
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: qoy9xh5sm50tue.atlasv1.b4udif2t66iyk_1cjpvpktac9j4awk9wwrh=pc_3cxc4wl1txvdwfyryyo_d
image: nginx:1.14.2
ports:
- containerPort: 80
\ No newline at end of file
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
\ No newline at end of file
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: herokuvsz_en6klqqzpkm0vxp:=c864956d-e7d4-65ed-bb79-f938ff6167a9
image: nginx:1.14.2
ports:
- containerPort: 80
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment