False positive for CKV_SECRET_6 for google_secret_manager_secret_version resources

[calexandre]

Describe the bug
Checkov 2.0.446 is detecting a false positive regarding the secret manager usage.

Basically it is showing multiple failed check for resources declared in the following format:

data "google_secret_manager_secret_version" "mysecret" {
  secret = "somesecretid"
}

With the error:

Check: CKV_SECRET_6: "Base64 High Entropy String"
        FAILED for resource: 8b50635275125444f17b28140b0eb5f529861e4b
        File: /secrets.tf:6-7
        Guide: https://docs.bridgecrew.io/docs/git_secrets_6

Expected behavior
Checkov should not detect this is a failed check, because this is the secret-id, and not the secret value.

Desktop (please complete the following information):

• OS: ubuntu
• Checkov Version 2.0.446

[ddanf]

I was getting this in jenkins but when I ran on desktop without the -o and redirect, I discovered that I was really getting a ton of file parse errors (#1663). limiting to 2.0.437 has resolved the issue for now.

[calexandre]

any news on this? Still happening on version 2.0.476

[BesartSulejmani]

Got the same for Terraform on Azure Key Vault secrets. Even the #checkov:skip=CKV_SECRET_6 doesn't skip the check for me.

Using the "latest" docker tag in an Azure DevOps pipeline.

[bogdan-milescu]

I can confirm that this is still present. I'm using version: 2.0.563.

[SebastianBalle]

I am getting the same error when reading the following ARM template which is located in my directory.

{
    "properties": {
        "type": "AzureBlobStorage",
        "annotations": [],
        "typeProperties": {
            "connectionString": {
                "type": "AzureKeyVaultSecret",
                "store": {
                    "referenceName": "kv_ls_primary",
                    "type": "LinkedServiceReference"
                },
                "secretName": "storage-account-connection-string"
            }
        }
    },
    "type": "Microsoft.DataFactory/factories/linkedservices"
}

The following error was received
Resource 2b442dd9a7ae593d71f647e89bc3f809e01510bb failed in check CKV_SECRET_6/Base64 High Entropy String - /initialization/03-AzureStorageProcessingLinkedService.json:[12, 13] - Guideline: https://docs.bridgecrew.io/docs/git_secrets_6

I am using version: 2.0.616

[stale]

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io
Thanks!

[sj-asm]

Similar false-positive with CKV_SECRET_6 for plain secretName in terraform code:

Check: CKV_SECRET_6: "Base64 High Entropy String"
	FAILED for resource: bfa4f5d5d3003dfabdcf6a2107785ec0019cb6bb
	File: /main.tf:369-370
	Guide: https://docs.bridgecrew.io/docs/git_secrets_6

		369 |       secretName: "sona*************"

where line 369 looks like:

      secretName: "sonarqube-dns-tls"

... inside the values = [] block.

checkov version is 2.1.16

[codyhazelwood]

I get this with the github_actions_secret resource's secret_name as well.

[nimrodkor]

Thanks for all the examples guys. I promise we are planning to take a look at this in the few upcoming weeks!