feat(secrets): Add _prioritise_secrets by 3 levels of severity (#6390)

* Add _prioritise_secrets by 3 levels of severity * CR
bridgecrewio · Jun 3, 2024 · e0d99b0 · e0d99b0
1 parent 1fec077
commit e0d99b0
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 4 deletions.
diff --git a/checkov/secrets/runner.py b/checkov/secrets/runner.py
@@ -73,7 +73,8 @@
     'Hex High Entropy String': 'CKV_SECRET_19'
 }
 
-ENTROPY_CHECK_IDS = ('CKV_SECRET_6', 'CKV_SECRET_19', 'CKV_SECRET_80')
+ENTROPY_CHECK_IDS = {'CKV_SECRET_6', 'CKV_SECRET_19', 'CKV_SECRET_80'}
+GENERIC_PRIVATE_KEY_CHECK_IDS = {'CKV_SECRET_10', 'CKV_SECRET_13'}
 
 CHECK_ID_TO_SECRET_TYPE = {v: k for k, v in SECRET_TYPE_TO_ID.items()}
 
@@ -244,9 +245,8 @@ def run(
                         f"Removing secret due to UUID filtering: {hashlib.sha256(secret.secret_value.encode('utf-8')).hexdigest()}")
                     continue
                 if secret_key in secret_records.keys():
-                    if secret_records[secret_key].check_id in ENTROPY_CHECK_IDS and check_id not in ENTROPY_CHECK_IDS:
-                        secret_records.pop(secret_key)
-                    else:
+                    is_prioritise = self._prioritise_secrets(secret_records, secret_key, check_id)
+                    if not is_prioritise:
                         continue
                 bc_check_id = metadata_integration.get_bc_id(check_id)
                 if bc_check_id in secret_suppressions_id:
@@ -319,6 +319,17 @@ def run(
                 self._modify_invalid_secrets_check_result_to_skipped(report)
             return report
 
+    @staticmethod
+    def _prioritise_secrets(secret_records: Dict[str, SecretsRecord], secret_key: str, check_id: str) -> bool:
+        if secret_records[secret_key].check_id in ENTROPY_CHECK_IDS and check_id not in ENTROPY_CHECK_IDS:
+            secret_records.pop(secret_key)
+            return True
+        if secret_records[secret_key].check_id in GENERIC_PRIVATE_KEY_CHECK_IDS:
+            if check_id not in GENERIC_PRIVATE_KEY_CHECK_IDS | ENTROPY_CHECK_IDS:
+                secret_records.pop(secret_key)
+                return True
+        return False
+
     def cleanup_plugin_files(
             self,
             work_path: str,

diff --git a/tests/secrets/test_prioritise_secrets.py b/tests/secrets/test_prioritise_secrets.py
@@ -0,0 +1,54 @@
+import unittest
+
+from checkov.common.models.enums import CheckResult
+from checkov.common.output.secrets_record import SecretsRecord
+from checkov.secrets.runner import Runner, ENTROPY_CHECK_IDS, GENERIC_PRIVATE_KEY_CHECK_IDS
+
+
+class TestPrioritiseSecrets(unittest.TestCase):
+    def setUp(self):
+        self.secret_records = {
+            'key1': SecretsRecord(check_id='CKV_SECRET_6', check_name='foo',
+                                  check_result={"result": CheckResult.FAILED}, code_block=[(1, 'baz')],
+                                  file_path='qux', file_line_range=[1, 2], resource='resource', evaluations=None,
+                                  check_class='CheckClass', file_abs_path='abs_path'),
+            'key2': SecretsRecord(check_id='CKV_SECRET_10', check_name='foo',
+                                  check_result={"result": CheckResult.FAILED},
+                                  code_block=[(1, 'baz')], file_path='qux', file_line_range=[1, 2], resource='resource',
+                                  evaluations=None, check_class='CheckClass', file_abs_path='abs_path'),
+            'key3': SecretsRecord(check_id='CKV_SECRET_18', check_name='foo',
+                                  check_result={"result": CheckResult.FAILED}, code_block=[(1, 'baz')],
+                                  file_path='qux', file_line_range=[1, 2], resource='resource', evaluations=None,
+                                  check_class='CheckClass', file_abs_path='abs_path'),
+        }
+        self.ENTROPY_CHECK_IDS = ENTROPY_CHECK_IDS
+        self.GENERIC_PRIVATE_KEY_CHECK_IDS = GENERIC_PRIVATE_KEY_CHECK_IDS
+
+    def test_entropy_check_id_removed(self):
+        result = Runner._prioritise_secrets(self.secret_records, 'key1', 'CKV_SECRET_18')
+        self.assertTrue(result)
+        self.assertNotIn('key1', self.secret_records)
+
+    def test_generic_private_key_check_id_removed(self):
+        result = Runner._prioritise_secrets(self.secret_records, 'key2', 'CKV_SECRET_18')
+        self.assertTrue(result)
+        self.assertNotIn('key2', self.secret_records)
+
+    def test_no_removal_entropy_check_id(self):
+        result = Runner._prioritise_secrets(self.secret_records, 'key1', 'CKV_SECRET_6')
+        self.assertFalse(result)
+        self.assertIn('key1', self.secret_records)
+
+    def test_no_removal_generic_private_key_check_id(self):
+        result = Runner._prioritise_secrets(self.secret_records, 'key2', 'CKV_SECRET_10')
+        self.assertFalse(result)
+        self.assertIn('key2', self.secret_records)
+
+    def test_no_removal_other_check_id(self):
+        result = Runner._prioritise_secrets(self.secret_records, 'key3', 'CKV_SECRET_1000')
+        self.assertFalse(result)
+        self.assertIn('key3', self.secret_records)
+
+
+if __name__ == '__main__':
+    unittest.main()