From 143ce0279d824f5be053848b60b98d4c4ecfbf10 Mon Sep 17 00:00:00 2001 From: yiscah Date: Wed, 22 Sep 2021 10:28:00 +0300 Subject: [PATCH] get sensitiveKeyNames as input from config --- rules/rule-credentials-in-env-var/raw.rego | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/rules/rule-credentials-in-env-var/raw.rego b/rules/rule-credentials-in-env-var/raw.rego index 7bebd8f70..7e7572c95 100644 --- a/rules/rule-credentials-in-env-var/raw.rego +++ b/rules/rule-credentials-in-env-var/raw.rego @@ -1,12 +1,12 @@ package armo_builtins # import data.cautils as cautils # import data.kubernetes.api.client as client +import data deny[msga] { pod := input[_] pod.kind == "Pod" - sensitive_key_names := {"aws_access_key_id", "aws_secret_access_key", "azure_batchai_storage_account", "azure_batchai_storage_key", - "azure_batch_account", "azure_batch_key", "passwd","password", "username", "pwd", "cred", "token", "key", "cert"} + sensitive_key_names := data.postureControlInputs.sensitiveKeyNames key_name := sensitive_key_names[_] container := pod.spec.containers[_] env := container.env[_] @@ -27,8 +27,7 @@ deny[msga] { spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[wl.kind] - sensitive_key_names := {"aws_access_key_id", "aws_secret_access_key", "azure_batchai_storage_account", "azure_batchai_storage_key", - "azure_batch_account", "azure_batch_key", "passwd","password", "username", "pwd", "cred", "token", "key", "cert"} + sensitive_key_names := data.postureControlInputs.sensitiveKeyNames key_name := sensitive_key_names[_] container := wl.spec.template.spec.containers[_] env := container.env[_] @@ -47,8 +46,7 @@ deny[msga] { deny[msga] { wl := input[_] wl.kind == "CronJob" - sensitive_key_names := {"aws_access_key_id", "aws_secret_access_key", "azure_batchai_storage_account", "azure_batchai_storage_key", - "azure_batch_account", "azure_batch_key", "passwd","password", "username", "pwd", "cred", "token", "key", "cert"} + sensitive_key_names := data.postureControlInputs.sensitiveKeyNames key_name := sensitive_key_names[_] container := wl.spec.jobTemplate.spec.template.spec.containers[_] env := container.env[_]