ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6336/secrets/rule.adoc
daniel-teuchert-sonarsource a91542370a
APPSEC-1056 Modify S6336(secrets): Make text compliant (#3013) 
## Review

A dedicated reviewer checked the rule description successfully for:

- [ ] logical errors and incorrect information
- [ ] information gaps and missing content
- [ ] text style and tone
- [ ] PR summary and labels follow [the
guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)

---------

Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com>
2023-09-08 10:00:48 +02:00

63 lines
1.6 KiB
Plaintext
Raw Permalink Blame History

include::../../../shared_content/secrets/description.adoc[]
== Why is this an issue?
include::../../../shared_content/secrets/rationale.adoc[]
This rule flags instances of:
* Alibaba Cloud AccessKey ID
* Alibaba Cloud AccessKey secret
=== What is the potential impact?
AccessKeys are long term credentials designed to authenticate and authorize requests to Alibaba Cloud.
If your application interacts with Alibaba Cloud then it requires AccessKeys to
access all the resources it needs to function properly. Resources that can be
accessed depend on the permissions granted to the Alibaba Cloud account. +
These credentials may authenticate to the account root user who has
unrestricted access to all resources in your Alibaba Cloud account, including
billing information.
Below are some real-world scenarios that illustrate some impacts of an attacker
exploiting the secret.
:secret_type: secret
include::../../../shared_content/secrets/impact/financial_loss.adoc[]
include::../../../shared_content/secrets/impact/data_compromise.adoc[]
include::../../../shared_content/secrets/impact/malware_distribution.adoc[]
== How to fix it
Only administrators should have access to the AccessKeys used by your application.
include::../../../shared_content/secrets/fix/revoke.adoc[]
include::../../../shared_content/secrets/fix/vault.adoc[]
=== Code examples
:example_secret: LTAI5tBcc9SecYAo
:example_name: alibaba-key
:example_env: ALIBABA_KEY
include::../../../shared_content/secrets/examples.adoc[]
//=== How does this work?
//=== Pitfalls
//=== Going the extra mile
== Resources
include::../../../shared_content/secrets/resources/standards.adoc[]
//=== Benchmarks
Reference in New Issue View Git Blame Copy Permalink