Checkmarx · rogeriopeixotocx · Sep 28, 2021 · Sep 27, 2021 · Sep 27, 2021 · Sep 28, 2021
@@ -18,18 +18,18 @@
     {
       "id": "3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99",
       "name": "Generic Secret",
-      "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9\/~^_!@&%()=?*+-]{10,})['\"]?",
+      "regex": "^(?i)['\"]?\\s*(\\w*_)?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9\/~^_!@&%()=?*+-]{10,})['\"]?",
       "entropies": [
         {
-          "group": 3,
+          "group": 4,
           "min": 2.8,
           "max": 8
         }
       ],
       "allowRules": [
         {
           "description": "Avoiding Square OAuth Secret",
-          "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?(sq0csp-[0-9A-Za-z\\-_]{43})['\"]?"
+          "regex": "(?i)['\"]?\\s*(\\w*_)?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?(sq0csp-[0-9A-Za-z\\-_]{43})['\"]?"
         }
       ]
     },

@@ -1,10 +1,12 @@
 ## Password and Secrets
-Being the only query written in Golang, it involves several rules to cover the maximum possible cases. These rules bases on regexes. 
+Being the only query written in Golang, it involves several rules to cover the maximum possible cases. These rules bases on regexes.
 Each one is mainly composed of id, name and regex.
 
-Since there are cases where it is necessary to filter the results of these rules (i.e. cases to exclude), you can use **allowRules**. 
+Since there are cases where it is necessary to filter the results of these rules (i.e. cases to exclude), you can use **allowRules**.
 Basically, there are two types: **specific allowRules**, which is just applied to a specific rule and **generic allowRules**, which is applied to all rules.
 
+**NOTE:** Terraform variables will not be resolved. Password and Secrets query will scan and point directly to tfvars file.
+
 ```json
 {
   "rules": [
@@ -25,13 +27,13 @@ Basically, there are two types: **specific allowRules**, which is just applied t
             "description": "brief description about the cases to exclude",
             "regex": "golang flavor regex"
           }
-    ]  
+    ]
 }
 ```
 
 #### Example
 
-The present rule defines a pattern that finds generic tokens. 
+The present rule defines a pattern that finds generic tokens.
 Since, in Terraform, we can come across cases like `token_key = data.terraform_remote_state.rancher.outputs.token_key`, we can use a **specific allowRules** (Avoiding TF resource access) to exclude these cases.
 
 Moreover, to exclude scenarios like `automountServiceAccountToken: false`, we can use a **generic allowRules** (Avoiding Boolean's) to be applied not only in this rule but also in the remaining ones.
@@ -56,7 +58,7 @@ Moreover, to exclude scenarios like `automountServiceAccountToken: false`, we ca
             "description": "Avoiding Boolean's",
             "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(true|false)['\"]?"
           }
-   ] 
+   ]
 }
 ```
 

@@ -104,7 +104,7 @@ func worker(path string, results, unwanted chan<- string, wg *sync.WaitGroup) {
 	case ".dockerfile", "Dockerfile":
 		results <- "dockerfile"
 	// Terraform
-	case ".tf":
+	case ".tf", "tfvars":
 		results <- "terraform"
 	// Cloud Formation, Ansible, OpenAPI
 	case yaml, yml, ".json":

@@ -108,7 +108,7 @@ func (p *Parser) Parse(path string, content []byte) ([]model.Document, error) {
 
 // SupportedExtensions returns Terraform extensions
 func (p *Parser) SupportedExtensions() []string {
-	return []string{".tf"}
+	return []string{".tf", ".tfvars"}
 }
 
 // SupportedTypes returns types supported by this parser, which are terraform

@@ -37,7 +37,7 @@ func TestParser_SupportedTypes(t *testing.T) {
 // TestParser_SupportedExtensions tests the functions [SupportedExtensions()] and all the methods called by them
 func TestParser_SupportedExtensions(t *testing.T) {
 	p := &Parser{}
-	require.Equal(t, []string{".tf"}, p.SupportedExtensions())
+	require.Equal(t, []string{".tf", ".tfvars"}, p.SupportedExtensions())
 }
 
 // Test_Parser tests the functions [Parser()] and all the methods called by them