Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-6629

SAST Scan Result: SIGMA.container_storing_secret_in_environment_variable (CWE-526)

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • None
    • None
    • None
    • GitOps Crimson Sprint 17

      Description of Problem

      Error: SIGMA.container_storing_secret_in_environment_variable (CWE-526): [#def3] [important]

      argo_cd/app/manifests/base/application-controller-deployment/argocd-application-controller-deployment.yaml:26: Sigma main event: The Kubernetes container stores secrets in environment variables, which could be leaked if the environment is logged.
argo_cd/app/manifests/base/application-controller-deployment/argocd-application-controller-deployment.yaml:26: remediation: Provide access to secrets via volume mounts instead of setting `valueFrom.secretKeyRef` in `env`.
#   24|             valueFrom:
#   25|               secretKeyRef:
#   26|->               key: auth
#   27|                 name: argocd-redis
#   28|           - name: ARGOCD_RECONCILIATION_TIMEOUT

       

      There are multiple definitions for CWE 526, the complete list of instances can be found here:

      https://cov01.lab.eng.brq2.redhat.com/covscanhub/task/841416/log/openshift-gitops-argocd-container-v1.16.0-15/scan-results-imp.html

      Problem Reproduction

      • SAST scan results from v1.16.0-15 RC

      Fix Approaches

      • Remediation: Provide access to secrets via volume mounts instead of setting `valueFrom.secretKeyRef` in `env`.

      Acceptance Criteria

      • SAST scan results for the next release do not contain CWE 526

              rh-ee-mmeetei Mangaal Meetei
              rhn-support-vab Varsha B
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: