Skip to content

ExternalSecret secretStoreRef SecretStore wrongly detected as Kubernetes Secret in v8.21.2 #1644

New issue
New issue
Closed
#1649
Closed
ExternalSecret secretStoreRef SecretStore wrongly detected as Kubernetes Secret in v8.21.2#1644
#1649
Labels
bugSomething isn't working
@DanielViard

Description

@DanielViard
DanielViard
opened on Nov 18, 2024

Describe the bug
Finding: kind: SecretStore where it should not because it is not a kind: Secret with v8.21.2 toml rules config.

To Reproduce
Steps to reproduce the behavior:
create a gitleaks-secretstore.yaml file with the following content and commit into a git repo :

---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: example
  namespace: example-ns
spec:
  provider:
    vault:
      server: "https://vault.acme.org"
      # Path is the mount path of the Vault KV backend endpoint
      # Used as a path prefix for the external secret key
      path: "secret"
      # Version is the Vault KV secret engine version.
      # This can be either "v1" or "v2", defaults to "v2"
      version: "v2"
      auth:
        kubernetes:
          mountPath: "kubernetes"
          role: "demo"
          # Optional service account reference
          serviceAccountRef:
            name: "my-sa"
          # Optional secret field containing a Kubernetes ServiceAccount JWT
          # used for authenticating with Vault
          secretRef:
            name: "my-secret"
            key: "vault"

---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: example
  namespace: example-ns
spec:
  refreshInterval: 15s
  secretStoreRef:
    name: example
    kind: SecretStore
  target:
    name: mysecret
    creationPolicy: Owner
  data:
    - remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: secret/mysecret
        property: foo
      secretKey: foo

and run gitleaks :

gitleaks git --verbose -c ~/.gitleaks/gitleaks-v8.21.2.toml .

    ○
    │╲
    │ ○
    ○ ░
    ░    gitleaks

Finding:     kind: SecretStore
  target:
    name: mysecret
    creationPolicy: Owner
  data:
    - remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
                                   key: secret/mysecret
Secret:      key: secret/mysecret
RuleID:      kubernetes-secret-yaml
Entropy:     3.241446
File:        gitleaks-secretstore.yaml
Line:        40
Commit:      6547d83e81d243deab224c3c2378f56a997c61d7
Author:      kwxd8412
Email:       [email protected]
Date:        2024-11-18T14:10:39Z
Fingerprint: 6547d83e81d243deab224c3c2378f56a997c61d7:gitleaks-secretstore.yaml:kubernetes-secret-yaml:40

Expected behavior
No leaks detected

Screenshots
not applicable

Basic Info (please complete the following information):

  • OS:
  • Gitleaks Version: v8.21.2

Additional context
Related to #1586

cc @zricethezav

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions