Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"may-contain-secrets" warning has many false-positives #47

Open
dexhorthy opened this issue Jun 19, 2020 · 0 comments
Open

"may-contain-secrets" warning has many false-positives #47

dexhorthy opened this issue Jun 19, 2020 · 0 comments

Comments

@dexhorthy
Copy link
Member

It seems the check for may-contain-secrets frequently surfaces false positives, adding to a lot of noise in linter output.

I'd like to suggest that we disable this check until the false positive rate is lower.

Example

For example, there are no irresponsible secrets in this bundle of manifests, but the linter comes up with several warnings:

https://github.com/replicatedhq/kotsapps/tree/master/postgres-snapshots/manifests

may-contain-secrets    info    manifests/pg-consumer.yaml                                                                          It looks like there might be secrets in this file    
may-contain-secrets    info    manifests/pg-snapshot.yaml             29      It looks like there might be secrets in this file    
may-contain-secrets    info    manifests/postgres-secret.yaml         24      It looks like there might be secrets in this file    
may-contain-secrets    info    manifests/postgres-secret.yaml         18      It looks like there might be secrets in this file

For example, this file triggers the warning, but is clearly safe

apiVersion: v1
kind: Secret
metadata:
  name: postgres
data:
  DB_HOST: >-
    {{repl if ConfigOptionEquals "postgres_type" "embedded_postgres" }}
      {{repl Base64Encode "postgres" }}
    {{repl else}}
      {{repl ConfigOption "external_postgres_host" | Base64Encode }}
    {{repl end}}
  DB_PORT: >-
    {{repl if ConfigOptionEquals "postgres_type" "embedded_postgres" }}
      {{repl Base64Encode "5432" }}
    {{repl else}}
      {{repl ConfigOption "external_postgres_port" | Base64Encode }}
    {{repl end}}
  DB_USER: >-
    {{repl if ConfigOptionEquals "postgres_type" "embedded_postgres" }}
      {{repl Base64Encode "postgres" }}
    {{repl else}}
      {{repl ConfigOption "external_postgres_user" | Base64Encode }}
    {{repl end}}
  DB_PASSWORD: >-
    {{repl if ConfigOptionEquals "postgres_type" "embedded_postgres" }}
      {{repl ConfigOption "embedded_postgres_password" | Base64Encode }}
    {{repl else}}
      {{repl ConfigOption "external_postgres_password" | Base64Encode }}
    {{repl end}}
  DB_NAME: >-
    {{repl if ConfigOptionEquals "postgres_type" "embedded_postgres" }}
      {{repl Base64Encode "postgres" }}
    {{repl else}}
      {{repl ConfigOption "external_postgres_db" | Base64Encode }}
    {{repl end}}
  SCHEMAHERO_URI: >-
    {{repl if ConfigOptionEquals "postgres_type" "embedded_postgres" }}
      {{repl Base64Encode (printf "postgresql://postgres:%s@postgres:5432/postgres?connect_timeout=10&sslmode=disable" (ConfigOption "embedded_postgres_password")) }}
    {{repl else}}
      {{repl Base64Encode (printf "postgresql://%s:%s@%s:%s/%s?connect_timeout=10&sslmode=disable" (ConfigOption "external_postgres_user") (ConfigOption "external_postgres_password") (ConfigOption "external_postgres_password") (ConfigOption "external_postgres_host") (ConfigOption "external_postgres_port") (ConfigOption "external_postgres_db")) }}
    {{repl end}}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dexhorthy