2ms
2ms copied to clipboard
Checkmarx
Add Secret validation
As a user I would like to know if the secret found is valid or not so I would be able to prioritize and remediate accordingly. Description: Associate the following data with the secret found:
- Verification Status - if the secret could be check as it won't always be possible
- Secret validity result (if the secret has found to be valid)
Secrets to add validation to:
- [ ] AWS secrets
- [ ] Azure secrets
- [ ] Google Cloud Platform secrets
Some of the secrets (such as Github) are stand-alone tokens, but some of them can be used only by combination (of Access Token and Secret Token, such as on AWS Console).
I need to think about how to validate those.
- AWS secrets must first be supported on gitleaks, see https://github.com/gitleaks/gitleaks/pull/1356.
- Azure secrets development is stuck, there is an open PR (https://github.com/gitleaks/gitleaks/pull/1291) and an issue (https://github.com/gitleaks/gitleaks/issues/539)
- Google Cloud Platform personal access token is an SSH token, and it is an open problem to assign it to GCP and not a generic SSH.
To validate gcp-api-key, I'm not sure what will be the complete process, but try this:
curl \
'https://youtube.googleapis.com/youtube/v3/search?part=snippet&key=YOUR_GCP_KEY' \
--header 'Accept: application/json' \
--compressed
It may return a message like: YouTube Data API v3 has not been used in project 123456 before or it is disabled which means this key is related to a project.