Skip to content

Commit

Permalink
Merge branch 'develop' of https://github.com/frozenSolid/semgrep-rules
Browse files Browse the repository at this point in the history
…into develop
  • Loading branch information
frozenSolid committed Aug 7, 2023
2 parents 7fd3212 + b4b4cf0 commit 7b1bd36
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 6 deletions.
9 changes: 9 additions & 0 deletions dockerfile/security/secret-in-build-arg.dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,15 @@ ARG SECRET_KEY_BASE
# ruleid: secret-in-build-arg
ARG SECRET_TOKEN

# ruleid: secret-in-build-arg
ARG AUTH_TOKEN="this-is-a-secret"

# ruleid: secret-in-build-arg
ARG SSH_PRIVATE_KEY

# ruleid: secret-in-build-arg
ARG CERT_PASSWORD

# ruleid: secret-in-build-arg
ARG DJANGO_SECRET_KEY

Expand Down
14 changes: 8 additions & 6 deletions dockerfile/security/secret-in-build-arg.yaml
Original file line number Diff line number Diff line change
@@ -1,16 +1,18 @@
rules:
- id: secret-in-build-arg
patterns:
- pattern: ARG $ARG
- pattern-either:
- pattern: ARG $ARG
- pattern: ARG $ARG=...
- metavariable-regex:
metavariable: $ARG
regex: (?i).*(password|secret|token)
regex: (?i).*(password|secret|token|key|cert|api|auth)
message: >-
Docker build time arguments are not suited for secrets, because the
argument values are saved with the image. Running `docker image history` on the
image will show information on how the image was built, including arguments. If
these contain secrets, anyone with access to the docker image can access those
secrets.
these contain plain text secrets, anyone with access to the docker image can access
those secrets and exploit them.
metadata:
category: security
technology:
Expand All @@ -23,10 +25,10 @@ rules:
- https://cwe.mitre.org/data/definitions/538.html
- https://docs.docker.com/engine/reference/builder/#arg
subcategory:
- audit
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
languages:
- dockerfile
- dockerfile
severity: WARNING

0 comments on commit 7b1bd36

Please sign in to comment.