43 lines
1.3 KiB
Rego
43 lines
1.3 KiB
Rego
|
|
# Secret Exposure Policy
|
||
|
|
# Detects exposed secrets in code and containers
|
||
|
|
|
||
|
|
package audit.secrets
|
||
|
|
|
||
|
|
# Deny if unencrypted secrets are found in container
|
||
|
|
deny[msg] {
|
||
|
|
input.container_type
|
||
|
|
secret := input.secrets[_]
|
||
|
|
secret.encrypted == false
|
||
|
|
msg = sprintf("Unencrypted secret detected: %s in container %s", [secret.type, input.name])
|
||
|
|
}
|
||
|
|
|
||
|
|
# Deny if hardcoded credentials are found
|
||
|
|
deny[msg] {
|
||
|
|
hardcoded := input.hardcoded_credentials[_]
|
||
|
|
msg = sprintf("Hardcoded credential detected: %s in file %s", [hardcoded.type, hardcoded.location])
|
||
|
|
}
|
||
|
|
|
||
|
|
# Ensure secrets use allowed encryption backends
|
||
|
|
deny[msg] {
|
||
|
|
secret := input.secrets[_]
|
||
|
|
secret.encrypted == true
|
||
|
|
backend := secret.backend
|
||
|
|
not backend in ["sops", "kms", "vault", "sealed-secrets"]
|
||
|
|
msg = sprintf("Secret uses unauthorized encryption backend: %s", [backend])
|
||
|
|
}
|
||
|
|
|
||
|
|
# Require encryption for sensitive environment variables
|
||
|
|
deny[msg] {
|
||
|
|
env_var := input.environment_variables[_]
|
||
|
|
env_var.sensitive == true
|
||
|
|
env_var.encrypted == false
|
||
|
|
msg = sprintf("Sensitive environment variable %s must be encrypted", [env_var.name])
|
||
|
|
}
|
||
|
|
|
||
|
|
# Check for valid secret rotation policy
|
||
|
|
deny[msg] {
|
||
|
|
secret := input.secrets[_]
|
||
|
|
not secret.rotation_policy
|
||
|
|
msg = sprintf("Secret %s missing rotation policy", [secret.name])
|
||
|
|
}
|