# Secret Exposure Policy # Detects exposed secrets in code and containers package audit.secrets # Deny if unencrypted secrets are found in container deny[msg] { input.container_type secret := input.secrets[_] secret.encrypted == false msg = sprintf("Unencrypted secret detected: %s in container %s", [secret.type, input.name]) } # Deny if hardcoded credentials are found deny[msg] { hardcoded := input.hardcoded_credentials[_] msg = sprintf("Hardcoded credential detected: %s in file %s", [hardcoded.type, hardcoded.location]) } # Ensure secrets use allowed encryption backends deny[msg] { secret := input.secrets[_] secret.encrypted == true backend := secret.backend not backend in ["sops", "kms", "vault", "sealed-secrets"] msg = sprintf("Secret uses unauthorized encryption backend: %s", [backend]) } # Require encryption for sensitive environment variables deny[msg] { env_var := input.environment_variables[_] env_var.sensitive == true env_var.encrypted == false msg = sprintf("Sensitive environment variable %s must be encrypted", [env_var.name]) } # Check for valid secret rotation policy deny[msg] { secret := input.secrets[_] not secret.rotation_policy msg = sprintf("Secret %s missing rotation policy", [secret.name]) }