Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(secrets): change entropy limit in Combinator plugin #3575

Merged
merged 12 commits into from
Sep 29, 2022
Merged

fix(secrets): change entropy limit in Combinator plugin #3575

merged 12 commits into from
Sep 29, 2022

Conversation

marynaKK
Copy link
Contributor

@marynaKK marynaKK commented Sep 28, 2022
edited
Loading

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

Sets a different limit for entropy for the standalone plugin vs. the combinator plugin.

The change would cause finding fewer false positive secrets in source code, but leaves the Iac findings as it.

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my feature, policy, or fix is effective and works
  • New and existing tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules

@marynaKK marynaKK changed the title fix(secrets) - change limit only for source code, to be more tight fix(secrets): change limit only for source code, to be more tight Sep 28, 2022
@marynaKK marynaKK changed the title fix(secrets): change limit only for source code, to be more tight fix(secrets): change entropy limit in Combinator plugin Sep 28, 2022
gruebel
gruebel reviewed Sep 28, 2022
View reviewed changes
checkov/secrets/runner.py Outdated Show resolved Hide resolved
@marynaKK
Copy link
Contributor Author

@nimrodkor please verify the tests I added are enough :)
Also, I remembered we talked about adding 2 plugins of Base64HighEntropyString and HexHighEntropyString to the list of all plugins. Is this necessary? Am I missing something here?
Thanks!

gruebel
gruebel approved these changes Sep 28, 2022
View reviewed changes
Copy link
Contributor

@gruebel gruebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice, looks good 🍹

@marynaKK
Copy link
Contributor Author

@nimrodkor does it look OK now?
thanks! 🌸

nimrodkor
nimrodkor approved these changes Sep 29, 2022
View reviewed changes
Copy link
Contributor

@nimrodkor nimrodkor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

checkov/secrets/plugins/entropy_keyword_combinator.py Outdated Show resolved Hide resolved
@marynaKK marynaKK merged commit c3bae90 into master Sep 29, 2022
@marynaKK marynaKK deleted the false-pos-secrets-source-code branch September 29, 2022 09:06
gruebel pushed a commit to gruebel/checkov that referenced this pull request Sep 29, 2022
@marynaKK @schosterbarak
fix(secrets): change entropy limit in Combinator plugin (bridgecrewio…
f90f44b 
…#3575)

* inital try - 1 test fails

* changed the example in the false positive test

* indicate the failed test

* adjusted limits for relevant files

* removed unnessary added plugins

* moved both limits to be together

* remove comment

* change combinator plugin to examine only non-source-code files

* undo the last change to combinator plugin

* changed the combinator to combine keywords only in Iac, in sc files scan only with high entropy

* remove commented code

* improved statement
@nimrodkor nimrodkor mentioned this pull request Nov 3, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gruebel gruebel gruebel approved these changes

@nimrodkor nimrodkor nimrodkor approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@marynaKK @nimrodkor @gruebel