mirror of
https://github.com/FairwindsOps/polaris.git
synced 2026-05-06 17:26:51 +00:00
206322271c
* Add sensitiveContainerEnvVar and sensitiveConfigMapContent checks * Update full example configfile
44 lines
1.4 KiB
YAML
44 lines
1.4 KiB
YAML
successMessage: The ConfigMap does not contain potentially sensitive content in its keys and values
|
|
failureMessage: Potentially sensitive content is detected in the ConfigMap keys or values
|
|
category: Security
|
|
target: /ConfigMap
|
|
schemaString: |
|
|
'$schema': http://json-schema.org/draft-07/schema
|
|
type: object
|
|
required: ["metadata"]
|
|
properties:
|
|
metadata:
|
|
required: ["name"]
|
|
properties:
|
|
name:
|
|
type: string
|
|
data:
|
|
type: object
|
|
propertyNames:
|
|
'$comment': These ConfigMap keys will be disallowed.
|
|
allOf:
|
|
- not:
|
|
pattern: '(?i)^AWS_SECRET_ACCESS_KEY$'
|
|
- not:
|
|
pattern: '(?i)^GOOGLE_APPLICATION_CREDENTIALS$'
|
|
- not:
|
|
pattern: '(?i)^AZURE_.+KEY$'
|
|
- not:
|
|
pattern: '(?i)^OCI_CLI_KEY_CONTENT$'
|
|
- not:
|
|
pattern: '(?i)password'
|
|
- not:
|
|
pattern: '(?i)token'
|
|
- not:
|
|
pattern: '(?i)bearer'
|
|
- not:
|
|
pattern: '(?i)secret'
|
|
'$comment': This allows ConfigMap keys not excluded above.
|
|
- pattern: '(?i).*'
|
|
additionalProperties:
|
|
'$comment': These ConfigMap values will be disallowed.
|
|
allOf:
|
|
- not:
|
|
'$comment': THis matches variations like begin private key, begin rsa private key ...
|
|
pattern: '(?i)\s*-BEGIN\s+.*PRIVATE KEY-\s*'
|