feat: add secret rules logic (#812)

* add secret rules logic * feat: use alias for secret rule logic * feat: use alias for secret rule logic * test: remove new secrets rules from junit expected output * revert my last change * merge main * test: fix rule 71 fail unit test * test: fix JUnit verbose test * add comment Co-authored-by: Roy Hadad <roy@datree.io>

feat: add secret rules logic (#812)
* add secret rules logic * feat: use alias for secret rule logic * feat: use alias for secret rule logic * test: remove new secrets rules from junit expected output * revert my last change * merge main * test: fix rule 71 fail unit test * test: fix JUnit verbose test * add comment Co-authored-by: Roy Hadad <roy@datree.io>
bb200fa6 · hadar-co · GitHub · 962d8f29 · bb200fa6 · bb200fa6
Unverified Commit bb200fa6 authored 2 years ago by hadar-co Committed by GitHub 2 years ago
Hide whitespace changes
Inline Side-by-side

Showing

with 520 additions and 7 deletions
+520 -7
--- a/pkg/defaultRules/defaultRules.yaml
+++ b/pkg/defaultRules/defaultRules.yaml
@@ -13,6 +13,41 @@ aliases:
          - ReplicaSet
          - CronJob
          - Job
+  - &notKindSecret
+    properties:
+      kind:
+        not:
+          enum:
+            - Secret
+  # The following alias is used to prohibit a string from matching a given regex anywhere in the manifest
+  - &recursiveDontAllowValue
+    type: object
+    additionalProperties:
+      if:
+        type: object
+      then:
+        "$ref": "#"
+      else:
+        if:
+          type: array
+        then:
+          items:
+            if:
+              type: object
+            then:
+              "$ref": "#"
+            else:
+              if:
+                type: string
+              then:
+                not: 
+                  "$ref": "#/definitions/regexes"
+        else:
+          if:
+            type: string
+          then:
+            not:
+              "$ref": "#/definitions/regexes"
 rules:
  - id: 1
    name: Ensure each container image has a pinned (tag) version
@@ -1916,17 +1951,14 @@ rules:
                    type: array
                    items:
                      $ref: "#/$defs/securityContextSeccomp"
-
      allOf:
        - $ref: "#/definitions/seccompExplicit"
        - $ref: "#/definitions/seccompPatternInSpec"
        - $ref: "#/definitions/seccompPatternInContainer"
-
      additionalProperties:
        $ref: "#"
        items:
          $ref: "#"
-      
      $defs:
        securityContextSeccompReq:
          required:
@@ -1954,3 +1986,262 @@ rules:
                        enum:
                          - "unconfined"
                          - "Unconfined"
+  - id: 62
+    name: Prevent exposed BitBucket secrets in objects
+    uniqueName: ALL_EXPOSED_SECRET_BITBUCKET
+    enabledByDefault: True
+    documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-bitbucket"
+    messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
+    category: Secrets
+    schema:
+      definitions:
+        regexes:
+          anyOf:
+            - pattern: (?:bitbucket)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)
+      if: *notKindSecret
+      then: *recursiveDontAllowValue
+  - id: 63
+    name: Prevent exposed Datadog secrets in objects
+    uniqueName: ALL_EXPOSED_SECRET_DATADOG
+    enabledByDefault: True
+    documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-datadog"
+    messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
+    category: Secrets
+    schema:
+      definitions:
+        regexes:
+          anyOf:
+            - pattern: (?:datadog)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{40})(?:['|\"|\n|\r|\s|\x60|;]|$)
+      if: *notKindSecret
+      then: *recursiveDontAllowValue
+  - id: 64
+    name: Prevent exposed GCP secrets in objects
+    uniqueName: ALL_EXPOSED_SECRET_GCP
+    enabledByDefault: True
+    documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-gcp"
+    messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
+    category: Secrets
+    schema:
+      definitions:
+        regexes:
+          anyOf:
+            - pattern: \b(AIza[0-9A-Za-z\\-_]{35})(?:['|\"|\n|\r|\s|\x60|;]|$)
+      if: *notKindSecret
+      then: *recursiveDontAllowValue
+  - id: 65
+    name: Prevent exposed AWS secrets in objects
+    uniqueName: ALL_EXPOSED_SECRET_AWS
+    enabledByDefault: True
+    documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-aws"
+    messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
+    category: Secrets
+    schema:
+      definitions:
+        regexes:
+          anyOf:
+            - pattern: (A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}
+      if: *notKindSecret
+      then: *recursiveDontAllowValue
+  - id: 66
+    name: Prevent exposed GitHub secrets in objects
+    uniqueName: ALL_EXPOSED_SECRET_GITHUB
+    enabledByDefault: True
+    documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-github"
+    messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
+    category: Secrets
+    schema:
+      definitions:
+        regexes:
+          anyOf:
+            - pattern: (ghu|ghs)_[0-9a-zA-Z]{36}
+            - pattern: gho_[0-9a-zA-Z]{36}
+            - pattern: ghp_[0-9a-zA-Z]{36}
+            - pattern: ghr_[0-9a-zA-Z]{36}
+      if: *notKindSecret
+      then: *recursiveDontAllowValue
+  - id: 67
+    name: Prevent exposed GitLab secrets in objects
+    uniqueName: ALL_EXPOSED_SECRET_GITLAB
+    enabledByDefault: True
+    documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-gitlab"
+    messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
+    category: Secrets
+    schema:
+      definitions:
+        regexes:
+          anyOf:
+            - pattern: glpat-[0-9a-zA-Z\-\_]{20}
+      if: *notKindSecret
+      then: *recursiveDontAllowValue
+  - id: 68
+    name: Prevent exposed Terraform secrets in objects
+    uniqueName: ALL_EXPOSED_SECRET_TERRAFORM
+    enabledByDefault: True
+    documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-terraform"
+    messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
+    category: Secrets
+    schema:
+      definitions:
+        regexes:
+          anyOf:
+            - pattern: '[a-z0-9]{14}\.atlasv1\.[a-z0-9\-_=]{60,70}'
+      if: *notKindSecret
+      then: *recursiveDontAllowValue
+  - id: 69
+    name: Prevent exposed Heroku secrets in objects
+    uniqueName: ALL_EXPOSED_SECRET_HEROKU
+    enabledByDefault: True
+    documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-heroku"
+    messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
+    category: Secrets
+    schema:
+      definitions:
+        regexes:
+          anyOf:
+            - pattern: (?:heroku)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$)
+      if: *notKindSecret
+      then: *recursiveDontAllowValue
+  - id: 70
+    name: Prevent exposed JWT secrets in objects
+    uniqueName: ALL_EXPOSED_SECRET_JWT
+    enabledByDefault: True
+    documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-jwt"
+    messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
+    category: Secrets
+    schema:
+      definitions:
+        regexes:
+          anyOf:
+            - pattern: \b(ey[0-9a-z]{30,34}\.ey[0-9a-z-\/_]{30,500}\.[0-9a-zA-Z-\/_]{10,200})(?:['|\"|\n|\r|\s|\x60|;]|$)
+      if: *notKindSecret
+      then: *recursiveDontAllowValue
+  - id: 71
+    name: Prevent exposed LaunchDarkly secrets in objects
+    uniqueName: ALL_EXPOSED_SECRET_LAUNCHDARKLY
+    enabledByDefault: True
+    documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-launchdarkly"
+    messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
+    category: Secrets
+    schema:
+      definitions:
+        regexes:
+          anyOf:
+            - pattern: (?:launchdarkly)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{40})(?:['|\"|\n|\r|\s|\x60|;]|$)
+      if: *notKindSecret
+      then: *recursiveDontAllowValue
+  - id: 72
+    name: Prevent exposed New Relic secrets in objects
+    uniqueName: ALL_EXPOSED_SECRET_NEWRELIC
+    enabledByDefault: True
+    documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-newrelic"
+    messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
+    category: Secrets
+    schema:
+      definitions:
+        regexes:
+          anyOf:
+            - pattern: (?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}(NRJS-[a-f0-9]{19})(?:['|\"|\n|\r|\s|\x60|;]|$)
+            - pattern: (?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)
+            - pattern: (?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}(NRAK-[a-z0-9]{27})(?:['|\"|\n|\r|\s|\x60|;]|$)
+      if: *notKindSecret
+      then: *recursiveDontAllowValue
+  - id: 73
+    name: Prevent exposed npm secrets in objects
+    uniqueName: ALL_EXPOSED_SECRET_NPM
+    enabledByDefault: True
+    documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-npm"
+    messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
+    category: Secrets
+    schema:
+      definitions:
+        regexes:
+          anyOf:
+            - pattern: \b(npm_[a-z0-9]{36})(?:['|\"|\n|\r|\s|\x60|;]|$)
+      if: *notKindSecret
+      then: *recursiveDontAllowValue
+  - id: 74
+    name: Prevent exposed Okta secrets in objects
+    uniqueName: ALL_EXPOSED_SECRET_OKTA
+    enabledByDefault: True
+    documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-okta"
+    messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
+    category: Secrets
+    schema:
+      definitions:
+        regexes:
+          anyOf:
+            - pattern: (?:okta)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{42})(?:['|\"|\n|\r|\s|\x60|;]|$)
+      if: *notKindSecret
+      then: *recursiveDontAllowValue
+  - id: 75
+    name: Prevent exposed Stripe secrets in objects
+    uniqueName: ALL_EXPOSED_SECRET_STRIPE
+    enabledByDefault: True
+    documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-stripe"
+    messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
+    category: Secrets
+    schema:
+      definitions:
+        regexes:
+          anyOf:
+            - pattern: (sk|pk)_(test|live)_[0-9a-z]{10,32}
+      if: *notKindSecret
+      then: *recursiveDontAllowValue
+  - id: 76
+    name: Prevent exposed SumoLogic secrets in objects
+    uniqueName: ALL_EXPOSED_SECRET_SUMOLOGIC
+    enabledByDefault: True
+    documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-sumologic"
+    messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
+    category: Secrets
+    schema:
+      definitions:
+        regexes:
+          anyOf:
+            - pattern: (?:sumo)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{14})(?:['|\"|\n|\r|\s|\x60|;]|$)
+            - pattern: (?:sumo)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)
+      if: *notKindSecret
+      then: *recursiveDontAllowValue
+  - id: 77
+    name: Prevent exposed Twilio secrets in objects
+    uniqueName: ALL_EXPOSED_SECRET_TWILIO
+    enabledByDefault: True
+    documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-twilio"
+    messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
+    category: Secrets
+    schema:
+      definitions:
+        regexes:
+          anyOf:
+            - pattern: SK[0-9a-fA-F]{32}
+      if: *notKindSecret
+      then: *recursiveDontAllowValue
+  - id: 78
+    name: Prevent exposed Vault secrets in objects
+    uniqueName: ALL_EXPOSED_SECRET_VAULT
+    enabledByDefault: True
+    documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-vault"
+    messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
+    category: Secrets
+    schema:
+      definitions:
+        regexes:
+          anyOf:
+            - pattern: \b(hvb\.[a-z0-9_-]{138,212})(?:['|\"|\n|\r|\s|\x60|;]|$)
+            - pattern: \b(hvs\.[a-z0-9_-]{90,100})(?:['|\"|\n|\r|\s|\x60|;]|$)
+      if: *notKindSecret
+      then: *recursiveDontAllowValue
+  - id: 79
+    name: Prevent exposed private keys in objects
+    uniqueName: ALL_EXPOSED_SECRET_PRIVATEKEY
+    enabledByDefault: True
+    documentationUrl: "https://hub.datree.io/built-in-rules/prevent-exposed-secrets-privatekey"
+    messageOnFailure: "Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen"
+    category: Secrets
+    schema:
+      definitions:
+        regexes:
+          anyOf:
+            - pattern: (?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY-----[\s\S-]*KEY----
+      if: *notKindSecret
+      then: *recursiveDontAllowValue
--- a/pkg/defaultRules/defaultRulesSchema.json
+++ b/pkg/defaultRules/defaultRulesSchema.json
@@ -10,15 +10,15 @@
    },
    "rules": {
      "type": "array",
-      "minItems": 61,
-      "maxItems": 61,
+      "minItems": 79,
+      "maxItems": 79,
      "items": {
        "type": "object",
        "properties": {
          "id": {
            "type": "number",
            "minimum": 1,
-            "maximum": 61
+            "maximum": 79
          },
          "name": {
            "type": "string",
@@ -53,6 +53,7 @@
              "Other",
              "Custom",
              "Argo",
+              "Secrets",
              "NSA"
            ]
          },

--- a/pkg/evaluation/printer_test_expected_outputs/JUnit_output.xml
+++ b/pkg/evaluation/printer_test_expected_outputs/JUnit_output.xml
@@ -30,6 +30,24 @@
 		<testcase name="Prevent containers from having root access capabilities" classname="CONTAINERS_INCORRECT_PRIVILEGED_VALUE_TRUE"></testcase>
 		<testcase name="Prevent CronJob from executing jobs concurrently" classname="CRONJOB_MISSING_CONCURRENCYPOLICY_KEY"></testcase>
 		<testcase name="Ensure resource has a configured name" classname="RESOURCE_MISSING_NAME"></testcase>
+		<testcase name="Prevent exposed BitBucket secrets in objects" classname="ALL_EXPOSED_SECRET_BITBUCKET"></testcase>
+		<testcase name="Prevent exposed Datadog secrets in objects" classname="ALL_EXPOSED_SECRET_DATADOG"></testcase>
+		<testcase name="Prevent exposed GCP secrets in objects" classname="ALL_EXPOSED_SECRET_GCP"></testcase>
+		<testcase name="Prevent exposed AWS secrets in objects" classname="ALL_EXPOSED_SECRET_AWS"></testcase>
+		<testcase name="Prevent exposed GitHub secrets in objects" classname="ALL_EXPOSED_SECRET_GITHUB"></testcase>
+		<testcase name="Prevent exposed GitLab secrets in objects" classname="ALL_EXPOSED_SECRET_GITLAB"></testcase>
+		<testcase name="Prevent exposed Terraform secrets in objects" classname="ALL_EXPOSED_SECRET_TERRAFORM"></testcase>
+		<testcase name="Prevent exposed Heroku secrets in objects" classname="ALL_EXPOSED_SECRET_HEROKU"></testcase>
+		<testcase name="Prevent exposed JWT secrets in objects" classname="ALL_EXPOSED_SECRET_JWT"></testcase>
+		<testcase name="Prevent exposed LaunchDarkly secrets in objects" classname="ALL_EXPOSED_SECRET_LAUNCHDARKLY"></testcase>
+		<testcase name="Prevent exposed New Relic secrets in objects" classname="ALL_EXPOSED_SECRET_NEWRELIC"></testcase>
+		<testcase name="Prevent exposed npm secrets in objects" classname="ALL_EXPOSED_SECRET_NPM"></testcase>
+		<testcase name="Prevent exposed Okta secrets in objects" classname="ALL_EXPOSED_SECRET_OKTA"></testcase>
+		<testcase name="Prevent exposed Stripe secrets in objects" classname="ALL_EXPOSED_SECRET_STRIPE"></testcase>
+		<testcase name="Prevent exposed SumoLogic secrets in objects" classname="ALL_EXPOSED_SECRET_SUMOLOGIC"></testcase>
+		<testcase name="Prevent exposed Twilio secrets in objects" classname="ALL_EXPOSED_SECRET_TWILIO"></testcase>
+		<testcase name="Prevent exposed Vault secrets in objects" classname="ALL_EXPOSED_SECRET_VAULT"></testcase>
+		<testcase name="Prevent exposed private keys in objects" classname="ALL_EXPOSED_SECRET_PRIVATEKEY"></testcase>
 	</testsuite>
 	<testsuite name="File2">
 		<testcase name="Ensure each container image has a pinned (tag) version" classname="CONTAINERS_MISSING_IMAGE_VALUE_VERSION"></testcase>
@@ -53,6 +71,24 @@
 		<testcase name="Prevent containers from having root access capabilities" classname="CONTAINERS_INCORRECT_PRIVILEGED_VALUE_TRUE"></testcase>
 		<testcase name="Prevent CronJob from executing jobs concurrently" classname="CRONJOB_MISSING_CONCURRENCYPOLICY_KEY"></testcase>
 		<testcase name="Ensure resource has a configured name" classname="RESOURCE_MISSING_NAME"></testcase>
+		<testcase name="Prevent exposed BitBucket secrets in objects" classname="ALL_EXPOSED_SECRET_BITBUCKET"></testcase>
+		<testcase name="Prevent exposed Datadog secrets in objects" classname="ALL_EXPOSED_SECRET_DATADOG"></testcase>
+		<testcase name="Prevent exposed GCP secrets in objects" classname="ALL_EXPOSED_SECRET_GCP"></testcase>
+		<testcase name="Prevent exposed AWS secrets in objects" classname="ALL_EXPOSED_SECRET_AWS"></testcase>
+		<testcase name="Prevent exposed GitHub secrets in objects" classname="ALL_EXPOSED_SECRET_GITHUB"></testcase>
+		<testcase name="Prevent exposed GitLab secrets in objects" classname="ALL_EXPOSED_SECRET_GITLAB"></testcase>
+		<testcase name="Prevent exposed Terraform secrets in objects" classname="ALL_EXPOSED_SECRET_TERRAFORM"></testcase>
+		<testcase name="Prevent exposed Heroku secrets in objects" classname="ALL_EXPOSED_SECRET_HEROKU"></testcase>
+		<testcase name="Prevent exposed JWT secrets in objects" classname="ALL_EXPOSED_SECRET_JWT"></testcase>
+		<testcase name="Prevent exposed LaunchDarkly secrets in objects" classname="ALL_EXPOSED_SECRET_LAUNCHDARKLY"></testcase>
+		<testcase name="Prevent exposed New Relic secrets in objects" classname="ALL_EXPOSED_SECRET_NEWRELIC"></testcase>
+		<testcase name="Prevent exposed npm secrets in objects" classname="ALL_EXPOSED_SECRET_NPM"></testcase>
+		<testcase name="Prevent exposed Okta secrets in objects" classname="ALL_EXPOSED_SECRET_OKTA"></testcase>
+		<testcase name="Prevent exposed Stripe secrets in objects" classname="ALL_EXPOSED_SECRET_STRIPE"></testcase>
+		<testcase name="Prevent exposed SumoLogic secrets in objects" classname="ALL_EXPOSED_SECRET_SUMOLOGIC"></testcase>
+		<testcase name="Prevent exposed Twilio secrets in objects" classname="ALL_EXPOSED_SECRET_TWILIO"></testcase>
+		<testcase name="Prevent exposed Vault secrets in objects" classname="ALL_EXPOSED_SECRET_VAULT"></testcase>
+		<testcase name="Prevent exposed private keys in objects" classname="ALL_EXPOSED_SECRET_PRIVATEKEY"></testcase>
 	</testsuite>
 	<testsuite name="policySummary">
 		<properties>

--- a/pkg/evaluation/printer_test_expected_outputs/JUnit_output_verbose.xml
+++ b/pkg/evaluation/printer_test_expected_outputs/JUnit_output_verbose.xml
@@ -34,6 +34,24 @@
 		<testcase name="Prevent containers from having root access capabilities" classname="CONTAINERS_INCORRECT_PRIVILEGED_VALUE_TRUE"></testcase>
 		<testcase name="Prevent CronJob from executing jobs concurrently" classname="CRONJOB_MISSING_CONCURRENCYPOLICY_KEY"></testcase>
 		<testcase name="Ensure resource has a configured name" classname="RESOURCE_MISSING_NAME"></testcase>
+		<testcase name="Prevent exposed BitBucket secrets in objects" classname="ALL_EXPOSED_SECRET_BITBUCKET"></testcase>
+		<testcase name="Prevent exposed Datadog secrets in objects" classname="ALL_EXPOSED_SECRET_DATADOG"></testcase>
+		<testcase name="Prevent exposed GCP secrets in objects" classname="ALL_EXPOSED_SECRET_GCP"></testcase>
+		<testcase name="Prevent exposed AWS secrets in objects" classname="ALL_EXPOSED_SECRET_AWS"></testcase>
+		<testcase name="Prevent exposed GitHub secrets in objects" classname="ALL_EXPOSED_SECRET_GITHUB"></testcase>
+		<testcase name="Prevent exposed GitLab secrets in objects" classname="ALL_EXPOSED_SECRET_GITLAB"></testcase>
+		<testcase name="Prevent exposed Terraform secrets in objects" classname="ALL_EXPOSED_SECRET_TERRAFORM"></testcase>
+		<testcase name="Prevent exposed Heroku secrets in objects" classname="ALL_EXPOSED_SECRET_HEROKU"></testcase>
+		<testcase name="Prevent exposed JWT secrets in objects" classname="ALL_EXPOSED_SECRET_JWT"></testcase>
+		<testcase name="Prevent exposed LaunchDarkly secrets in objects" classname="ALL_EXPOSED_SECRET_LAUNCHDARKLY"></testcase>
+		<testcase name="Prevent exposed New Relic secrets in objects" classname="ALL_EXPOSED_SECRET_NEWRELIC"></testcase>
+		<testcase name="Prevent exposed npm secrets in objects" classname="ALL_EXPOSED_SECRET_NPM"></testcase>
+		<testcase name="Prevent exposed Okta secrets in objects" classname="ALL_EXPOSED_SECRET_OKTA"></testcase>
+		<testcase name="Prevent exposed Stripe secrets in objects" classname="ALL_EXPOSED_SECRET_STRIPE"></testcase>
+		<testcase name="Prevent exposed SumoLogic secrets in objects" classname="ALL_EXPOSED_SECRET_SUMOLOGIC"></testcase>
+		<testcase name="Prevent exposed Twilio secrets in objects" classname="ALL_EXPOSED_SECRET_TWILIO"></testcase>
+		<testcase name="Prevent exposed Vault secrets in objects" classname="ALL_EXPOSED_SECRET_VAULT"></testcase>
+		<testcase name="Prevent exposed private keys in objects" classname="ALL_EXPOSED_SECRET_PRIVATEKEY"></testcase>
 	</testsuite>
 	<testsuite name="File2">
 		<testcase name="Ensure each container image has a pinned (tag) version" classname="CONTAINERS_MISSING_IMAGE_VALUE_VERSION"></testcase>
@@ -57,6 +75,24 @@
 		<testcase name="Prevent containers from having root access capabilities" classname="CONTAINERS_INCORRECT_PRIVILEGED_VALUE_TRUE"></testcase>
 		<testcase name="Prevent CronJob from executing jobs concurrently" classname="CRONJOB_MISSING_CONCURRENCYPOLICY_KEY"></testcase>
 		<testcase name="Ensure resource has a configured name" classname="RESOURCE_MISSING_NAME"></testcase>
+		<testcase name="Prevent exposed BitBucket secrets in objects" classname="ALL_EXPOSED_SECRET_BITBUCKET"></testcase>
+		<testcase name="Prevent exposed Datadog secrets in objects" classname="ALL_EXPOSED_SECRET_DATADOG"></testcase>
+		<testcase name="Prevent exposed GCP secrets in objects" classname="ALL_EXPOSED_SECRET_GCP"></testcase>
+		<testcase name="Prevent exposed AWS secrets in objects" classname="ALL_EXPOSED_SECRET_AWS"></testcase>
+		<testcase name="Prevent exposed GitHub secrets in objects" classname="ALL_EXPOSED_SECRET_GITHUB"></testcase>
+		<testcase name="Prevent exposed GitLab secrets in objects" classname="ALL_EXPOSED_SECRET_GITLAB"></testcase>
+		<testcase name="Prevent exposed Terraform secrets in objects" classname="ALL_EXPOSED_SECRET_TERRAFORM"></testcase>
+		<testcase name="Prevent exposed Heroku secrets in objects" classname="ALL_EXPOSED_SECRET_HEROKU"></testcase>
+		<testcase name="Prevent exposed JWT secrets in objects" classname="ALL_EXPOSED_SECRET_JWT"></testcase>
+		<testcase name="Prevent exposed LaunchDarkly secrets in objects" classname="ALL_EXPOSED_SECRET_LAUNCHDARKLY"></testcase>
+		<testcase name="Prevent exposed New Relic secrets in objects" classname="ALL_EXPOSED_SECRET_NEWRELIC"></testcase>
+		<testcase name="Prevent exposed npm secrets in objects" classname="ALL_EXPOSED_SECRET_NPM"></testcase>
+		<testcase name="Prevent exposed Okta secrets in objects" classname="ALL_EXPOSED_SECRET_OKTA"></testcase>
+		<testcase name="Prevent exposed Stripe secrets in objects" classname="ALL_EXPOSED_SECRET_STRIPE"></testcase>
+		<testcase name="Prevent exposed SumoLogic secrets in objects" classname="ALL_EXPOSED_SECRET_SUMOLOGIC"></testcase>
+		<testcase name="Prevent exposed Twilio secrets in objects" classname="ALL_EXPOSED_SECRET_TWILIO"></testcase>
+		<testcase name="Prevent exposed Vault secrets in objects" classname="ALL_EXPOSED_SECRET_VAULT"></testcase>
+		<testcase name="Prevent exposed private keys in objects" classname="ALL_EXPOSED_SECRET_PRIVATEKEY"></testcase>
 	</testsuite>
 	<testsuite name="policySummary">
 		<properties>

--- a/pkg/policy/tests/61-fail.yaml
+++ b/pkg/policy/tests/61-fail.yaml
@@ -19,4 +19,3 @@ spec:
          type: unconfined
      ports:
        - containerPort: 80
-
--- a/pkg/policy/tests/62-fail.yaml
+++ b/pkg/policy/tests/62-fail.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: bitbucketr=>yf8gf86gcdz1e4df2efnbtmcpzwivk1a
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
\ No newline at end of file
--- a/pkg/policy/tests/62-pass.yaml
+++ b/pkg/policy/tests/62-pass.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
\ No newline at end of file
--- a/pkg/policy/tests/63-fail.yaml
+++ b/pkg/policy/tests/63-fail.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: datadog5x<=```"pcxx9wi21i8sh4na1sdl6488j79fsemasb40i10p
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
\ No newline at end of file
--- a/pkg/policy/tests/63-pass.yaml
+++ b/pkg/policy/tests/63-pass.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
\ No newline at end of file
--- a/pkg/policy/tests/64-fail.yaml
+++ b/pkg/policy/tests/64-fail.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: AIzap7aDlsMO66URpaF]dTivLPxdlGNp003ixSa
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
\ No newline at end of file
--- a/pkg/policy/tests/64-pass.yaml
+++ b/pkg/policy/tests/64-pass.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
\ No newline at end of file
--- a/pkg/policy/tests/65-fail.yaml
+++ b/pkg/policy/tests/65-fail.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: AGPAQPRC2KYLEMAQI3F6
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
\ No newline at end of file
--- a/pkg/policy/tests/65-pass.yaml
+++ b/pkg/policy/tests/65-pass.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
\ No newline at end of file
--- a/pkg/policy/tests/66-fail.yaml
+++ b/pkg/policy/tests/66-fail.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: gho_fq2Umv92EQx02Gdc7Haias0UqKmq8xIeeund
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
\ No newline at end of file
--- a/pkg/policy/tests/66-pass.yaml
+++ b/pkg/policy/tests/66-pass.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
\ No newline at end of file
--- a/pkg/policy/tests/67-fail.yaml
+++ b/pkg/policy/tests/67-fail.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: glpat-37HjBcYY9Qb7RNnqm6wJ
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
\ No newline at end of file
--- a/pkg/policy/tests/67-pass.yaml
+++ b/pkg/policy/tests/67-pass.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
\ No newline at end of file
--- a/pkg/policy/tests/68-fail.yaml
+++ b/pkg/policy/tests/68-fail.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: qoy9xh5sm50tue.atlasv1.b4udif2t66iyk_1cjpvpktac9j4awk9wwrh=pc_3cxc4wl1txvdwfyryyo_d
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
\ No newline at end of file
--- a/pkg/policy/tests/68-pass.yaml
+++ b/pkg/policy/tests/68-pass.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
\ No newline at end of file
--- a/pkg/policy/tests/69-fail.yaml
+++ b/pkg/policy/tests/69-fail.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: herokuvsz_en6klqqzpkm0vxp:=c864956d-e7d4-65ed-bb79-f938ff6167a9
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
\ No newline at end of file