fix(secrets): filter secrets that have vault: in them (#6565)

* filter vault * fix * add test and small fix * small fix * small fix2
bridgecrewio · Jul 11, 2024 · bbfc595 · bbfc595
1 parent 2966084
commit bbfc595
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/checkov/secrets/runner.py b/checkov/secrets/runner.py
@@ -81,6 +81,10 @@
 MAX_FILE_SIZE = int(os.getenv('CHECKOV_MAX_FILE_SIZE', '5000000'))  # 5 MB is default limit
 
 
+def should_filter_vault_secret(secret_value: str, check_id: str) -> bool:
+    return 'vault:' in secret_value.lower() and check_id in ENTROPY_CHECK_IDS
+
+
 class Runner(BaseRunner[None, None, None]):
     check_type = CheckType.SECRETS  # noqa: CCE003  # a static attribute
 
@@ -229,6 +233,9 @@ def run(
                 if not check_id:
                     logging.debug(f'Secret was filtered - no check_id for line_number {secret.line_number}')
                     continue
+                if secret.secret_value and should_filter_vault_secret(secret.secret_value, check_id):
+                    logging.debug(f'Secret was filtered - this is a vault reference: {secret.secret_value}')
+                    continue
                 secret_key = f'{key}_{secret.line_number}_{secret.secret_hash}'
                 # secret history
                 added_commit_hash, removed_commit_hash, code_line, added_by, removed_date, added_date = '', '', '', '', '', ''

diff --git a/tests/secrets/test_vault_secrets.py b/tests/secrets/test_vault_secrets.py
@@ -0,0 +1,21 @@
+from checkov.secrets.runner import should_filter_vault_secret
+
+HIGH_ENTROPY_CHECK_ID = 'CKV_SECRET_80'
+
+def test_vault_secrets_false_positives():
+    fp_secrets = [
+        'DB_RBMQ_PASSWORD: vault: secret/data/product-web/mcrp-qwr-v2/mabbot#PASSWORD',
+        'WEB_PASSWORD: vault: secret/data/product/fwrp-qe-v3/parme3#PASSWORD',
+        'PASS: vault: secret/sr/dt/pro/fwrtq1#2/weg#PASSWORD'
+    ]
+    for fp_secret in fp_secrets:
+        assert should_filter_vault_secret(fp_secret, HIGH_ENTROPY_CHECK_ID)
+
+def test_secrets_without_vault():
+    real_secrets = [
+        'ldap_pwd = k%udk423u4%P8=H_',
+        'password = J6T4ww+##14m',
+        'PS = 1r4#Gf2FDF$343r3m2me3r%'
+    ]
+    for real_secret in real_secrets:
+        assert not should_filter_vault_secret(real_secret, HIGH_ENTROPY_CHECK_ID)