From b4b4cf00adbc324b9470be548bfc49376c052eba Mon Sep 17 00:00:00 2001
From: Keshav Malik <33570148+theinfosecguy@users.noreply.github.com>
Date: Mon, 7 Aug 2023 10:46:46 +0530
Subject: [PATCH] Update Regex to detect secrets in Dockerfile (#3028)

* Update Regex to detect secrets in Dockerfile

* Update secret-in-build-arg.yaml

---------

Co-authored-by: Vasilii Ermilov <inkz@xakep.ru>
---
 dockerfile/security/secret-in-build-arg.dockerfile |  9 +++++++++
 dockerfile/security/secret-in-build-arg.yaml       | 14 ++++++++------
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/dockerfile/security/secret-in-build-arg.dockerfile b/dockerfile/security/secret-in-build-arg.dockerfile
index 618c33a269..2abdcdb41c 100644
--- a/dockerfile/security/secret-in-build-arg.dockerfile
+++ b/dockerfile/security/secret-in-build-arg.dockerfile
@@ -26,6 +26,15 @@ ARG SECRET_KEY_BASE
 # ruleid: secret-in-build-arg
 ARG SECRET_TOKEN
 
+# ruleid: secret-in-build-arg
+ARG AUTH_TOKEN="this-is-a-secret"
+
+# ruleid: secret-in-build-arg
+ARG SSH_PRIVATE_KEY
+
+# ruleid: secret-in-build-arg
+ARG CERT_PASSWORD
+
 # ruleid: secret-in-build-arg
 ARG DJANGO_SECRET_KEY
 
diff --git a/dockerfile/security/secret-in-build-arg.yaml b/dockerfile/security/secret-in-build-arg.yaml
index 1977206e07..7c24ed06e0 100644
--- a/dockerfile/security/secret-in-build-arg.yaml
+++ b/dockerfile/security/secret-in-build-arg.yaml
@@ -1,16 +1,18 @@
 rules:
 - id: secret-in-build-arg
   patterns:
-  - pattern: ARG $ARG
+  - pattern-either:
+    - pattern: ARG $ARG
+    - pattern: ARG $ARG=...
   - metavariable-regex:
       metavariable: $ARG
-      regex: (?i).*(password|secret|token)
+      regex: (?i).*(password|secret|token|key|cert|api|auth)
   message: >-
     Docker build time arguments are not suited for secrets, because the
     argument values are saved with the image. Running `docker image history` on the
     image will show information on how the image was built, including arguments. If
-    these contain secrets, anyone with access to the docker image can access those
-    secrets.
+    these contain plain text secrets, anyone with access to the docker image can access
+    those secrets and exploit them.
   metadata:
     category: security
     technology:
@@ -23,10 +25,10 @@ rules:
     - https://cwe.mitre.org/data/definitions/538.html
     - https://docs.docker.com/engine/reference/builder/#arg
     subcategory:
-    - audit
+      - audit
     likelihood: LOW
     impact: HIGH
     confidence: LOW
   languages:
-  - dockerfile
+    - dockerfile
   severity: WARNING