rspec/rules/S6336/secrets/rule.adoc

include::../../../shared_content/secrets/description.adoc[]

== Why is this an issue?

include::../../../shared_content/secrets/rationale.adoc[]

This rule flags instances of:

* Alibaba Cloud AccessKey ID
* Alibaba Cloud AccessKey secret

=== What is the potential impact?

AccessKeys are long term credentials designed to authenticate and authorize requests to Alibaba Cloud.

If your application interacts with Alibaba Cloud then it requires AccessKeys to
access all the resources it needs to function properly. Resources that can be
accessed depend on the permissions granted to the Alibaba Cloud account. +
These credentials may authenticate to the account root user who has
unrestricted access to all resources in your Alibaba Cloud account, including
billing information.

Below are some real-world scenarios that illustrate some impacts of an attacker
exploiting the secret.

:secret_type: secret

include::../../../shared_content/secrets/impact/financial_loss.adoc[]

include::../../../shared_content/secrets/impact/data_compromise.adoc[]

include::../../../shared_content/secrets/impact/malware_distribution.adoc[]


== How to fix it

Only administrators should have access to the AccessKeys used by your application.

include::../../../shared_content/secrets/fix/revoke.adoc[]

include::../../../shared_content/secrets/fix/vault.adoc[]

=== Code examples

:example_secret: LTAI5tBcc9SecYAo
:example_name: alibaba-key
:example_env: ALIBABA_KEY

include::../../../shared_content/secrets/examples.adoc[]

//=== How does this work?

//=== Pitfalls

//=== Going the extra mile

== Resources

include::../../../shared_content/secrets/resources/standards.adoc[]

//=== Benchmarks
APPSEC-1056 Modify S6336(secrets): Make text compliant (#3013) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> 2023-09-08 10:00:48 +02:00			`include::../../../shared_content/secrets/description.adoc[]`
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00
APPSEC-1056 Modify S6336(secrets): Make text compliant (#3013) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> 2023-09-08 10:00:48 +02:00			`== Why is this an issue?`
Create rule S6336: Alibaba Cloud AccessKeys should not be disclosed (#224) 2021-09-08 11:31:19 +02:00
APPSEC-1056 Modify S6336(secrets): Make text compliant (#3013) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> 2023-09-08 10:00:48 +02:00			`include::../../../shared_content/secrets/rationale.adoc[]`
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00
			`This rule flags instances of:`

			`* Alibaba Cloud AccessKey ID`
			`* Alibaba Cloud AccessKey secret`

APPSEC-1056 Modify S6336(secrets): Make text compliant (#3013) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> 2023-09-08 10:00:48 +02:00			`=== What is the potential impact?`

			`AccessKeys are long term credentials designed to authenticate and authorize requests to Alibaba Cloud.`

			`If your application interacts with Alibaba Cloud then it requires AccessKeys to`
			`access all the resources it needs to function properly. Resources that can be`
			`accessed depend on the permissions granted to the Alibaba Cloud account. +`
			`These credentials may authenticate to the account root user who has`
			`unrestricted access to all resources in your Alibaba Cloud account, including`
			`billing information.`

			`Below are some real-world scenarios that illustrate some impacts of an attacker`
			`exploiting the secret.`

			`:secret_type: secret`
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00
APPSEC-1056 Modify S6336(secrets): Make text compliant (#3013) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> 2023-09-08 10:00:48 +02:00			`include::../../../shared_content/secrets/impact/financial_loss.adoc[]`

			`include::../../../shared_content/secrets/impact/data_compromise.adoc[]`

			`include::../../../shared_content/secrets/impact/malware_distribution.adoc[]`


			`== How to fix it`
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00
			`Only administrators should have access to the AccessKeys used by your application.`

APPSEC-1056 Modify S6336(secrets): Make text compliant (#3013) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> 2023-09-08 10:00:48 +02:00			`include::../../../shared_content/secrets/fix/revoke.adoc[]`
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00
APPSEC-1056 Modify S6336(secrets): Make text compliant (#3013) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> 2023-09-08 10:00:48 +02:00			`include::../../../shared_content/secrets/fix/vault.adoc[]`
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00
APPSEC-1056 Modify S6336(secrets): Make text compliant (#3013) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> 2023-09-08 10:00:48 +02:00			`=== Code examples`
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00
APPSEC-1056 Modify S6336(secrets): Make text compliant (#3013) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> 2023-09-08 10:00:48 +02:00			`:example_secret: LTAI5tBcc9SecYAo`
			`:example_name: alibaba-key`
			`:example_env: ALIBABA_KEY`
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00
APPSEC-1056 Modify S6336(secrets): Make text compliant (#3013) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> 2023-09-08 10:00:48 +02:00			`include::../../../shared_content/secrets/examples.adoc[]`

			`//=== How does this work?`

			`//=== Pitfalls`

			`//=== Going the extra mile`
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00
			`== Resources`

APPSEC-1056 Modify S6336(secrets): Make text compliant (#3013) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> 2023-09-08 10:00:48 +02:00			`include::../../../shared_content/secrets/resources/standards.adoc[]`

			`//=== Benchmarks`
Create rule S6336: Alibaba Cloud AccessKeys should not be disclosed (#224) 2021-09-08 11:31:19 +02:00