provisioning-platform/prov-ecosystem/crates/audit/policies/secret_exposure.rego

43 lines
1.3 KiB
Rego
Raw Permalink Normal View History

# Secret Exposure Policy
# Detects exposed secrets in code and containers
package audit.secrets
# Deny if unencrypted secrets are found in container
deny[msg] {
input.container_type
secret := input.secrets[_]
secret.encrypted == false
msg = sprintf("Unencrypted secret detected: %s in container %s", [secret.type, input.name])
}
# Deny if hardcoded credentials are found
deny[msg] {
hardcoded := input.hardcoded_credentials[_]
msg = sprintf("Hardcoded credential detected: %s in file %s", [hardcoded.type, hardcoded.location])
}
# Ensure secrets use allowed encryption backends
deny[msg] {
secret := input.secrets[_]
secret.encrypted == true
backend := secret.backend
not backend in ["sops", "kms", "vault", "sealed-secrets"]
msg = sprintf("Secret uses unauthorized encryption backend: %s", [backend])
}
# Require encryption for sensitive environment variables
deny[msg] {
env_var := input.environment_variables[_]
env_var.sensitive == true
env_var.encrypted == false
msg = sprintf("Sensitive environment variable %s must be encrypted", [env_var.name])
}
# Check for valid secret rotation policy
deny[msg] {
secret := input.secrets[_]
not secret.rotation_policy
msg = sprintf("Secret %s missing rotation policy", [secret.name])
}