ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6335/secrets/rule.adoc
Fred Tingaud d3cfe19d7e
Fix broken or dangerous backquotes 
Co-authored-by: Marco Borgeaud <89914223+marco-antognini-sonarsource@users.noreply.github.com>
2023-10-30 10:33:56 +01:00

68 lines
2.2 KiB
Plaintext
Raw Blame History

include::../../../shared_content/secrets/description.adoc[]
== Why is this an issue?
include::../../../shared_content/secrets/rationale.adoc[]
=== What is the potential impact?
Below are some real-world scenarios that illustrate some impacts of an attacker
exploiting the secret.
:secret_type: secret
include::../../../shared_content/secrets/impact/phishing.adoc[]
include::../../../shared_content/secrets/impact/malware_distribution.adoc[]
include::../../../shared_content/secrets/impact/financial_loss.adoc[]
== How to fix it
include::../../../shared_content/secrets/fix/revoke.adoc[]
include::../../../shared_content/secrets/fix/vault.adoc[]
=== Code examples
==== Noncompliant code example
Here is an example of a service account key file. In general it is in the form
of a json file as demonstrated in the
https://cloud.google.com/iam/docs/keys-create-delete#creating[GCP docs].
[source,json]
----
{
"type": "service_account",
"project_id": "example-project",
"private_key_id": "2772b8e6f42dc67369b98f0b91694f7805b28844",
"private_key": "-----BEGIN PRIVATE KEY-----\nKBww9jggAgBEHBCBAASIMDsoCBAuAQINAgFAGSXQTkiAE0cEIkoQghJAqGavB/r3\n2W6raHa1Qrfj6pii5U2Ok53SxCyK3TxYc3Bfxq8orZeYC9LQ/I3tz7w4/BnT71AD\nfP1i8SWHsRMIicSuVFcRoYMA+A1eNSmdrujdBNWgedfuSyHbPnNY7s8BBUIoBN7I\n8gJG5DUUKAZfZDB2c/n7Yu0=\n-----END PRIVATE KEY-----\n",
"client_email": "example@example.iam.gserviceaccount.example.com",
"client_id": "492539091821492546176",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/example%40example.iam.gserviceaccount.example.com",
"universe_domain": "googleapis.com"
}
----
==== Compliant solution
Always avoid committing service account key files to public systems. Use any
``++*ignore++`` file possible, such as `.gitignore`, `.dockerignore` and equivalents
for any other system accessing your local codebase.
//=== How does this work?
//=== Pitfalls
//=== Going the extra mile
== Resources
include::../../../shared_content/secrets/resources/standards.adoc[]
//=== Benchmarks
Reference in New Issue View Git Blame Copy Permalink