Merge pull request #49 from mjshastha/detectingIban

Configmap with sensitive data lacks iban and passport patterns.
aquasecurity · Jan 3, 2024 · da28c39 · da28c39
2 parents b87ebd6 + 955a45d
commit da28c39
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/checks/kubernetes/aquacommercial/configmap_with_sensitive.rego b/checks/kubernetes/aquacommercial/configmap_with_sensitive.rego
@@ -30,6 +30,7 @@ patterns := [
 	"[^\\.](?:\\b[A-Z]{2}\\d{2} ?\\d{4} ?\\d{4} ?\\d{4} ?\\d{4} ?[\\d]{0,2}\\b)",
 	"(?i)(SHA1)",
 	"(?i)(MD5)",
+	"(?i)(iban\\s*(=|:))",
 ]
 
 patternsForKey := [
@@ -41,10 +42,17 @@ patternsForKey := [
 	"[^\\.](?:\\b[A-Z]{2}\\d{2} ?\\d{4} ?\\d{4} ?\\d{4} ?\\d{4} ?[\\d]{0,2}\\b)",
 	"(?i)(SHA1\\s*)",
 	"(?i)(MD5\\s*)",
+	"(?i)(iban\\s*)",
 ]
 
 patternsForEmail := "([a-zA-Z0-9_\\-\\.]+)@((\\[[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.)|(([a-zA-Z0-9\\-]+\\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\\]?)"
 
+# - https://www.iban.com/structure
+patternForIbanAndPassport := [
+	"([A-Z]{2}[ \\-]?[0-9]{2}[ \\-]?([A-Z0-9]{3,5}[ \\-]?){2,7}[A-Z0-9]{1,3})",
+	"^[A-Z0-9<]{3,20}$",
+]
+
 # ConfigMapWithSensitive gives secret key
 # To reduce performance overhead, only matched patterns will be applied to each value for key
 ConfigMapWithSensitive[sensitiveData] {
@@ -83,6 +91,14 @@ ConfigMapWithSensitive[sensitiveData] {
 	sensitiveData = d
 }
 
+ConfigMapWithSensitive[sensitiveData] {
+	input.kind == "ConfigMap"
+	values = split(input.data[d], "\n")
+	val = split(values[v], ":")
+	regex.match(patternForIbanAndPassport[p], val[v])
+	sensitiveData = d
+}
+
 configMapSensitiveList := ConfigMapWithSensitive
 
 deny[res] {