Merge pull request #3031 from returntocorp/merge-develop-to-release

Merge Develop into Release
semgrep · Aug 8, 2023 · 33dea02 · 33dea02
2 parents 1f7129d + b4b4cf0
commit 33dea02
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 6 deletions.
diff --git a/dockerfile/security/secret-in-build-arg.dockerfile b/dockerfile/security/secret-in-build-arg.dockerfile
@@ -26,6 +26,15 @@ ARG SECRET_KEY_BASE
 # ruleid: secret-in-build-arg
 ARG SECRET_TOKEN
 
+# ruleid: secret-in-build-arg
+ARG AUTH_TOKEN="this-is-a-secret"
+
+# ruleid: secret-in-build-arg
+ARG SSH_PRIVATE_KEY
+
+# ruleid: secret-in-build-arg
+ARG CERT_PASSWORD
+
 # ruleid: secret-in-build-arg
 ARG DJANGO_SECRET_KEY
 

diff --git a/dockerfile/security/secret-in-build-arg.yaml b/dockerfile/security/secret-in-build-arg.yaml
@@ -1,16 +1,18 @@
 rules:
 - id: secret-in-build-arg
   patterns:
-  - pattern: ARG $ARG
+  - pattern-either:
+    - pattern: ARG $ARG
+    - pattern: ARG $ARG=...
   - metavariable-regex:
       metavariable: $ARG
-      regex: (?i).*(password|secret|token)
+      regex: (?i).*(password|secret|token|key|cert|api|auth)
   message: >-
     Docker build time arguments are not suited for secrets, because the
     argument values are saved with the image. Running `docker image history` on the
     image will show information on how the image was built, including arguments. If
-    these contain secrets, anyone with access to the docker image can access those
-    secrets.
+    these contain plain text secrets, anyone with access to the docker image can access
+    those secrets and exploit them.
   metadata:
     category: security
     technology:
@@ -23,10 +25,10 @@ rules:
     - https://cwe.mitre.org/data/definitions/538.html
     - https://docs.docker.com/engine/reference/builder/#arg
     subcategory:
-    - audit
+      - audit
     likelihood: LOW
     impact: HIGH
     confidence: LOW
   languages:
-  - dockerfile
+    - dockerfile
   severity: WARNING