checkov
checkov copied to clipboard
bridgecrewio
[CKV_SECRET_6] Base64 High Entropy String
Describe the issue An incorrect result is being generated for the "Base64 High Entropy String" scan. Checkov is expecting different names for the resource names, such as Keyvault resource group name and Keyvault name. It seems to be checking for non-sensitive values, which is not the required.
error message:
Resource: 4e70246419ef4003644606103ef18316880dd56e File: /../../../../a/checkov_modules_southeastasia.json: 772-773 Guideline: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html 772 | "resource_group_name": "rg-************************",
Examples Please share an example code sample (in the IaC of your choice) + the expected outcomes.
Version (please complete the following information):
- Checkov Version latest
Additional context Add any other context about the problem here.
I have an eqaul issue here
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: f53c4e1ecf5e03a16e84df0eed4606369891ba3b
File: /values.yaml:28-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
28 | zephyrTokenSecretName: "zeph***************"
The value is zephyrTokenSecretName: "zephyr-token-secret" and it's only a reference to the Secret and not a Password.
Equivalent error here:
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 031142ef3114c1b5ec79[...]
Error: File: /terragrunt.hcl:35-36
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/secrets-policies/secrets-policy-index/git-secrets-6
35 | rds_secrets_kms_key_alias = "alias***************"
rds_secrets_kms_key_alias = "alias/rds-secrets-qa"
Having a similar false positive when running checkov on our tfplan.json JSON terraform plan:
61 | "SecretsBucket": "a8c-**********"
Same, even the word Authorization (as the value of the API key name) is too much.
2055 | "ApiKeyName": "Aut**********",
Worse though: I don't know how to turn this of, where I can normally ignore this with metadata on the CloudFormation resource: for this check that doesn't work: The following will still produce the same error:
"OriginSlackNotificationSlackConnection27891751": {
"Type": "AWS::Events::Connection",
"Properties": {
"AuthParameters": {
"ApiKeyAuthParameters": {
"ApiKeyName": "Authorization",
"ApiKeyValue": "{{resolve:secretsmanager:arn:aws:secretsmanager:eu-central-1:109936831616:secret:/vault/slack-integration:SecretString:botUserToken::}}"
},
"InvocationHttpParameters": {
"HeaderParameters": [
{
"IsValueSecret": false,
"Key": "Content-Type",
"Value": "application/json;charset=utf-8"
}
]
}
},
"AuthorizationType": "API_KEY",
"Description": "API connection to Slack workspace"
},
"Metadata": {
"aws:cdk:path": "OfdMainServiceStack/OriginSlackNotification/SlackConnection/Connection",
"checkov": {
"skip": [
{
"id": "CKV_SECRET_6",
"comment": "False positive: it thinks \"Authorization\" (as a word) has too much entropy and is a secret"
}
]
}
}
}
I'm using $.Metadata.checkov.skip in other places as well, but for CKV_SECRET_6 that doesn't work. Also I cannot add comments to JSON obviously, like you can with terraform HCL or something.
Hi folks, you can increase the entropy level required to flag findings using the env variable CHECKOV_ENTROPY_KEYWORD_LIMIT. CHECKOV_ENTROPY_KEYWORD_LIMIT=3.6 removes many of these FPs. You can also use --skip-check to skip this policy altogether.
Thanks, @tsmithv11. I’ll leave this issue open for a while to see if there’s more engagement on this matter.
Guys, what's up?
I got the same error when trying to upload a resource to Azure, in this case I am trying to upload a Function App, where I put 2 values to fetch from Application Insights, the instrumentation Key and the Connection String of the same, but the value presented I do not know where it might be taken from.
Error message:
Guideline: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/secrets-policies/secrets-policy-index/git-secrets-6 671 | "password": "ckMdPC**********"
The resolution shown in the link I don't know if it makes sense for my problem in question, if anyone has any comments on it, I'd be grateful.
Possible solution presented by Chekov:
resource "aws_glue_connection" "examplevpc" { connection_properties = { JDBC_CONNECTION_URL = "jdbc:mysql://${aws_rds_cluster.example.endpoint}/exampledatabase"
- PASSWORD = "valuethatdoesntcontainsecretword" USERNAME = "exampleusername" }
name = "example"
physical_connection_requirements { availability_zone = aws_subnet.example.availability_zone security_group_id_list = [aws_security_group.example.id] subnet_id = aws_subnet.example.id } }
What he calls Password doesn't make much sense, because I can't find this value in any of the resources or in the Plan section of my code.
The option I'm trying to find is to SKIP this policy, but I'd like to understand where this result comes from :)
This also happens when I set the value default sensitive = true.
I'm guessing this is a new default, my example is azurerm_automation_source_control has a value token_type = "PersonalAccessToken" that triggers this but somehow token = "value" doesn't.
This wasn't an issue last week.
I just passed CHECKOV_ENTROPY_KEYWORD_LIMIT=3.6 as an env var while running and nothing changes - still a bunch of false positives. I'm going to go with local silences in code, but I find it silly that I have to do that with strings like "MyProjectDF".
