semgrep-rules/yaml/github-actions/vault-token.yaml at main · trailofbits/semgrep-rules · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
rules:
  - id: vault-token
    message: |
      Found long-term access key. Instead prefer Vault role assumption and
      temporary OIDC security credentials.
    languages: [yaml]
    severity: WARNING
    metadata:
      category: security
      cwe: "CWE-798: Use of Hard-coded Credentials"
      subcategory: [audit]
      confidence: HIGH
      likelihood: HIGH
      impact: MEDIUM
      technology: [vault, github-actions]
      references:
        - https://developer.hashicorp.com/vault/docs/platform/github-actions
        - https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault
        - https://github.com/hashicorp/vault-action
    patterns:
      - pattern-inside: |
          uses: "$ACTION"
          ...
      - metavariable-regex:
          metavariable: $ACTION
          regex: ^hashicorp/vault-action
      - pattern-either:
          - pattern: |
              with:
                ...
                token: ...
          - pattern: |
              env:
                ...
                VAULT_TOKEN: ...