Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(cli): false positive when password from secretsmanager datasource is used #7277

Open
fsshah opened this issue Oct 9, 2024 · 0 comments
Open

bug(cli): false positive when password from secretsmanager datasource is used #7277

fsshah opened this issue Oct 9, 2024 · 0 comments
Labels
aws PR related with AWS Cloud bug Something isn't working community Community contribution query New query feature terraform Terraform query

Comments

@fsshah
Copy link

fsshah commented Oct 9, 2024

False positive when password from secretsmanager datasource is used

Alert is generated when password from secretsmanager datasource is used for rds. Kics detects it as query to find the password. is this expected behaviour ?

Expected Behavior

Kics should not categorize it as a vulnerability when password from secretsmanager data source is used.

Actual Behavior

Kics categorize it as vulnerability as per this query:
https://docs.kics.io/latest/queries/common-queries/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71/

Steps to Reproduce the Problem

locals {
  dummydb_password = jsondecode(data.aws_secretsmanager_secret_version.rds_secrets.secret_string)["password"]
}

module "dummydb" {
  source                                = "terraform-aws-modules/rds/aws"
  version                               = "5.0.3"
  identifier                            = "testdb"
  engine                                = "postgres"
  engine_version                        = "12.19"
  instance_class                        = "db.t3.small"
  family                                = "postgres12"
  db_name                               = "testdb"
  username                              = "testuser"
  port                                  = "5432"
  password                              = local.dummydb
  vpc_security_group_ids                = [var.vpc_security_group_ids]
  monitoring_interval                   = "0"
  create_monitoring_role                = true
  iam_database_authentication_enabled   = true
  parameter_group_use_name_prefix       = false
  deletion_protection                   = true
  create_db_subnet_group                = true
  enabled_cloudwatch_logs_exports       = []
  storage_encrypted                     = trye
  create_random_password                = false
  subnet_ids                            = data.aws_subnets.subnets.ids
  parameter_group_name                  = var.parameter_group_name
  major_engine_version                  = "12.11"
  allocated_storage                     = 20
  performance_insights_enabled          = true
  performance_insights_retention_period = 7

}
  • Version: 2.1.3
  • Platform: Linux
@fsshah fsshah added bug Something isn't working community Community contribution labels Oct 9, 2024
@github-actions github-actions bot added query New query feature terraform Terraform query aws PR related with AWS Cloud labels Oct 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
aws PR related with AWS Cloud bug Something isn't working community Community contribution query New query feature terraform Terraform query
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fsshah