From bbfc59503c81f1f495be3cd278edde8430f9a717 Mon Sep 17 00:00:00 2001
From: Rabea Zreik <47931006+RabeaZr@users.noreply.github.com>
Date: Thu, 11 Jul 2024 17:47:52 +0300
Subject: [PATCH] fix(secrets): filter secrets that have vault: in them (#6565)

* filter vault

* fix

* add test and small fix

* small fix

* small fix2
---
 checkov/secrets/runner.py           |  7 +++++++
 tests/secrets/test_vault_secrets.py | 21 +++++++++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 tests/secrets/test_vault_secrets.py

diff --git a/checkov/secrets/runner.py b/checkov/secrets/runner.py
index db9f9281a66..86b3cf11e67 100644
--- a/checkov/secrets/runner.py
+++ b/checkov/secrets/runner.py
@@ -81,6 +81,10 @@
 MAX_FILE_SIZE = int(os.getenv('CHECKOV_MAX_FILE_SIZE', '5000000'))  # 5 MB is default limit
 
 
+def should_filter_vault_secret(secret_value: str, check_id: str) -> bool:
+    return 'vault:' in secret_value.lower() and check_id in ENTROPY_CHECK_IDS
+
+
 class Runner(BaseRunner[None, None, None]):
     check_type = CheckType.SECRETS  # noqa: CCE003  # a static attribute
 
@@ -229,6 +233,9 @@ def run(
                 if not check_id:
                     logging.debug(f'Secret was filtered - no check_id for line_number {secret.line_number}')
                     continue
+                if secret.secret_value and should_filter_vault_secret(secret.secret_value, check_id):
+                    logging.debug(f'Secret was filtered - this is a vault reference: {secret.secret_value}')
+                    continue
                 secret_key = f'{key}_{secret.line_number}_{secret.secret_hash}'
                 # secret history
                 added_commit_hash, removed_commit_hash, code_line, added_by, removed_date, added_date = '', '', '', '', '', ''
diff --git a/tests/secrets/test_vault_secrets.py b/tests/secrets/test_vault_secrets.py
new file mode 100644
index 00000000000..e758fbc4aaa
--- /dev/null
+++ b/tests/secrets/test_vault_secrets.py
@@ -0,0 +1,21 @@
+from checkov.secrets.runner import should_filter_vault_secret
+
+HIGH_ENTROPY_CHECK_ID = 'CKV_SECRET_80'
+
+def test_vault_secrets_false_positives():
+    fp_secrets = [
+        'DB_RBMQ_PASSWORD: vault: secret/data/product-web/mcrp-qwr-v2/mabbot#PASSWORD',
+        'WEB_PASSWORD: vault: secret/data/product/fwrp-qe-v3/parme3#PASSWORD',
+        'PASS: vault: secret/sr/dt/pro/fwrtq1#2/weg#PASSWORD'
+    ]
+    for fp_secret in fp_secrets:
+        assert should_filter_vault_secret(fp_secret, HIGH_ENTROPY_CHECK_ID)
+
+def test_secrets_without_vault():
+    real_secrets = [
+        'ldap_pwd = k%udk423u4%P8=H_',
+        'password = J6T4ww+##14m',
+        'PS = 1r4#Gf2FDF$343r3m2me3r%'
+    ]
+    for real_secret in real_secrets:
+        assert not should_filter_vault_secret(real_secret, HIGH_ENTROPY_CHECK_ID)
\ No newline at end of file