Description
What happened?
Hi, thanks for polaris, it's an awesome tool and it helps us a lot on many use cases.
We think we might have an special case that is a false positive.
We are using envFrom with secretRef and then using a bunch of variables for secrets (as described in https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables ) and using env to rename and combine some variables :
---
apiVersion: apps/v1
kind: Deployment
[snip]
spec:
template:
spec:
containers:
- name: airflow-scheduler
[snip]
envFrom:
- secretRef:
name: airflow-env
[snip]
env:
- name: AIRFLOW_VAR_GITLAB_PRIVATE_TOKEN
value: $(GITLAB_PRIVATE_TOKEN)
- name: AIRFLOW_VAR_PROMETHEUS_PASSWORD
value: $(PROMETHEUS_PASSWORD)
and polaris detects the following :
sensitiveContainerEnvVar ❌ Danger
Security - The container sets potentially sensitive environment variables
Which doesn't seem to be the case when a syntax like the following is used :
[snip]
env:
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-airflow-secret
key: POSTGRES_PASSWORD
[snip]
What did you expect to happen?
For polaris to detect that a variable from a secret is being used and to consider this as safe.
How can we reproduce this?
If the snippet above is not sufficient to discuss this issue we can probably share a complete deployment/secret.
Version
7.3.2
Search
- I did search for other open and closed issues before opening this.
Code of Conduct
- I agree to follow this project's Code of Conduct
Additional context
No response