Credential Leakage Checks #3287
Unanswered
derekwaters
asked this question in
New rules
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
I have some AAP users for whom I've built a couple of additional ansible-lint rules to detect possible password leakage (into git or into logs), as they migrate a large number of legacy playbooks into their system.
The first rule is intended to flag any password args (including url_password, proxy_password) in modules that aren't using variables ie. the passwords are in the clear in the playbook, not in Vault or an external secrets store. In a DevOps environment where the playbooks are being stored in github, this presents a risk of exposure of credentials that should be remedied.
The second rule is intended to try and detect passwords that might be being passed to a command or shell task as a command line parameter. If no_log is unset or False, this may cause Ansible to log passwords out in the clear. The detection is pretty imperfect, using a regex to try and check for password / pwd / pass parameters.
Is there any interest in me cleaning these up and raising a PR for them?
Beta Was this translation helpful? Give feedback.
All reactions