Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(policies): add support for SSL verification disabled #189

Merged
merged 4 commits into from
Dec 2, 2022
Merged

feat(policies): add support for SSL verification disabled #189

merged 4 commits into from
Dec 2, 2022

Conversation

elsapet
Copy link
Contributor

@elsapet elsapet commented Dec 1, 2022
edited
Loading

Description

Support for SSL verification

  • Policy triggers only when we have sensitive data types detected

Also adds parent to risk location for custom risk detections (the detectPresence case)

Code sample

user.gender_identity

class InsecureService
  def unverified_http_client
    http = Net::HTTP.new(uri.host, uri.port)
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_NONE
    http
  end
end

Policy report

Screenshot 2022-12-02 at 15 53 27

Checklist

  • I've added test coverage that shows my fix or feature works as expected.
  • I've updated or added documentation if required.
  • I've included usage information in the description if CLI behavior was updated or added.
  • PR title follows Conventional Commits format

@swarmia
Copy link

swarmia bot commented Dec 1, 2022

✅  Linked to AMA-3287 · SSL certificate verification disabled in an application processing sensitive data
➡️  Part of AMA-3280 · Write ALL Ruby custom detectors & policies
➡️  Part of AMA-2947 · OSS - Curio CLI

@elsapet elsapet force-pushed the AMA-3287-ssl-certificate-verification-disabled-in-an-application-processing-sensitive-data branch from 9d47ddf to d12e9c5 Compare December 2, 2022 09:27
@elsapet elsapet marked this pull request as ready for review December 2, 2022 14:27
@elsapet elsapet merged commit c3c1313 into main Dec 2, 2022
@elsapet elsapet deleted the AMA-3287-ssl-certificate-verification-disabled-in-an-application-processing-sensitive-data branch December 2, 2022 14:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spdawson spdawson spdawson approved these changes

@cfabianski cfabianski Awaiting requested review from cfabianski

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@elsapet @cfabianski @spdawson