SCT-A000 @ 389050f • vdaas / vald

Run summary

2 months ago

6d4b505..389050f

31 s

Possible hardcoded secrets detected in source code SCT-A000

Secrets

Minor

3 occurrences in this check

Audit: Hardcoded credential "vald.vdaas.org/target-read-replica-id" found in source code

charts/vald/values.yaml

3412          pullPolicy: Always
3413        # @schema {"name": "manager.index.readreplica.rotator.target_read_replica_id_annotations_key", "type": "string"}
3414        # manager.index.readreplica.rotator.target_read_replica_id_annotations_key -- name of annotations key for target read replica id
3415        target_read_replica_id_annotations_key: vald.vdaas.org/target-read-replica-id3416        # @schema {"name": "manager.index.readreplica.rotator.server_config", "alias": "server_config"}
3417        # manager.index.readreplica.rotator.server_config -- server config (overrides defaults.server_config)
3418        server_config:

Audit: Hardcoded credential "_AWS_SECRET_ACCESS_KEY_" found in source code

charts/vald/values.yaml

2325          access_key: _AWS_ACCESS_KEY_
2326          # @schema {"name": "agent.sidecar.config.blob_storage.s3.secret_access_key", "type": "string"}
2327          # agent.sidecar.config.blob_storage.s3.secret_access_key -- s3 secret access key
2328          secret_access_key: _AWS_SECRET_ACCESS_KEY_2329          # @schema {"name": "agent.sidecar.config.blob_storage.s3.token", "type": "string"}
2330          # agent.sidecar.config.blob_storage.s3.token -- s3 token
2331          token: ""

Audit: Hardcoded credential "vald-readreplica-id" found in source code

charts/vald/values.yaml

2042    component_name: agent-readreplica
2043    # @schema {"name": "agent.readreplica.label_key", "type": "string"}
2044    # agent.readreplica.label_key -- label key to identify read replica resources
2045    label_key: vald-readreplica-id2046    # @schema {"name": "agent.readreplica.volume_name", "type": "string"}
2047    # agent.readreplica.volume_name -- name of clone volume of agent pvc for read replica
2048    volume_name: vald-agent-ngt-readreplica-pvc

Description

Hardcoded secret with a low Shannon entropy (<4.5) detected in source code. This could be a valid secret and it is recommended to audit the use and verify if it is indeed valid.

If it is a place-holder, you can ignore this issue, or add a skipcq: SCT-A000 pragma to silence this warning.

This issue is detected for secrets that are assigned to a variable having password, secret and _key in their name, and the value of the secret has a Shannon entropy between 3 and 4.5.