checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

False positive for `CKV_SECRET_6` for `google_secret_manager_secret_version` resources

Open calexandre opened this issue 3 years ago • 8 comments

Describe the bug Checkov 2.0.446 is detecting a false positive regarding the secret manager usage.

Basically it is showing multiple failed check for resources declared in the following format:

data "google_secret_manager_secret_version" "mysecret" {
  secret = "somesecretid"
}

With the error:

Check: CKV_SECRET_6: "Base64 High Entropy String"
        FAILED for resource: 8b50635275125444f17b28140b0eb5f529861e4b
        File: /secrets.tf:6-7
        Guide: https://docs.bridgecrew.io/docs/git_secrets_6

Expected behavior Checkov should not detect this is a failed check, because this is the secret-id, and not the secret value.

Desktop (please complete the following information):

  • OS: ubuntu
  • Checkov Version 2.0.446

calexandre avatar Sep 27 '21 17:09 calexandre

I was getting this in jenkins but when I ran on desktop without the -o and redirect, I discovered that I was really getting a ton of file parse errors (https://github.com/bridgecrewio/checkov/issues/1663). limiting to 2.0.437 has resolved the issue for now.

ddanf avatar Sep 28 '21 13:09 ddanf

any news on this? Still happening on version 2.0.476

calexandre avatar Oct 06 '21 15:10 calexandre

Got the same for Terraform on Azure Key Vault secrets. Even the #checkov:skip=CKV_SECRET_6 doesn't skip the check for me.

Using the "latest" docker tag in an Azure DevOps pipeline.

BesartSulejmani avatar Oct 07 '21 13:10 BesartSulejmani

I can confirm that this is still present. I'm using version: 2.0.563.

bogdan-milescu avatar Nov 10 '21 14:11 bogdan-milescu

I am getting the same error when reading the following ARM template which is located in my directory.

{
    "properties": {
        "type": "AzureBlobStorage",
        "annotations": [],
        "typeProperties": {
            "connectionString": {
                "type": "AzureKeyVaultSecret",
                "store": {
                    "referenceName": "kv_ls_primary",
                    "type": "LinkedServiceReference"
                },
                "secretName": "storage-account-connection-string"
            }
        }
    },
    "type": "Microsoft.DataFactory/factories/linkedservices"
}

The following error was received Resource 2b442dd9a7ae593d71f647e89bc3f809e01510bb failed in check CKV_SECRET_6/Base64 High Entropy String - /initialization/03-AzureStorageProcessingLinkedService.json:[12, 13] - Guideline: https://docs.bridgecrew.io/docs/git_secrets_6

I am using version: 2.0.616

SebastianBalle avatar Dec 20 '21 14:12 SebastianBalle

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] avatar Jun 26 '22 16:06 stale[bot]

Similar false-positive with CKV_SECRET_6 for plain secretName in terraform code:

Check: CKV_SECRET_6: "Base64 High Entropy String"
	FAILED for resource: bfa4f5d5d3003dfabdcf6a2107785ec0019cb6bb
	File: /main.tf:369-370
	Guide: https://docs.bridgecrew.io/docs/git_secrets_6

		369 |       secretName: "sona*************"

where line 369 looks like:

      secretName: "sonarqube-dns-tls"

... inside the values = [] block.

checkov version is 2.1.16

sj-asm avatar Jun 29 '22 07:06 sj-asm

I get this with the github_actions_secret resource's secret_name as well.

codyhazelwood avatar Jul 23 '22 03:07 codyhazelwood

Thanks for all the examples guys. I promise we are planning to take a look at this in the few upcoming weeks!

nimrodkor avatar Nov 03 '22 07:11 nimrodkor