feat(scan): do not trigger false alerts on ExternalSecrets
file
#6812
Labels
community
Community contribution
feature request
Community: new feature request
kubernetes
Kubernetes query
query
New query feature
Is your feature request related to a problem? Please describe.
external-secrets is a project used to synchronize sensitive information from secrets providers and kubernetes clusters without needing the end user to have any credentials whatsoever. It is also compatible with IaC by leveraging any GitOps mechanism to deploy the manifests onto the target cluster.
currently, any ExternalSecret manifest generates a false alert, as a reference to kubernetes Secret key (named
secretKey
) is identified as a sensitive information (while it is really a metadata address for the Key, not for the Value).Describe the solution you'd like
ExternalSecrets manifests should be avoided by adding a specific avoid rule in https://github.com/Checkmarx/kics/blob/master/assets/queries/common/passwords_and_secrets/regex_rules.json#L30C1-L47
Describe alternatives you've considered
Deal with the pain of false alerts for a tool that actually helps reducing sensitive information in git repos in the first place :)
Additional context
This discussion here triggered me to open up this issue.
The text was updated successfully, but these errors were encountered: