Skip to content

feat(rule): add Ansible Vault Encrypted Secret#305

Merged
michaelweber merged 2 commits into
praetorian-inc:mainfrom
hugo-syn:ansible
Jul 6, 2026
Merged

feat(rule): add Ansible Vault Encrypted Secret#305
michaelweber merged 2 commits into
praetorian-inc:mainfrom
hugo-syn:ansible

Conversation

@hugo-syn

@hugo-syn hugo-syn commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

No description provided.

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: f15c57ee-8a3e-41e4-a960-a849254e41bb

📥 Commits

Reviewing files that changed from the base of the PR and between bf5f4df and 5448cf0.

📒 Files selected for processing (2)
  • pkg/rule/rules/ansible.yml
  • pkg/rule/rulesets/default.yml

Walkthrough

This PR adds a new YAML rule for detecting Ansible Vault encrypted secrets and adds that rule to the default ruleset. The rule matches $ANSIBLE_VAULT; headers with version and algorithm fields, allows an optional extra tag segment, and captures indented hex payload lines. It is categorized as secret, encrypted, and configuration, with references and example vault payloads.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bf5f4dfb66

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread pkg/rule/rules/ansible.yml Outdated
@@ -0,0 +1,26 @@
rules:
- name: Ansible Vault Encrypted Secret
id: custom.ansible.1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Add the new rule to the default ruleset

With scan --ruleset default (the CLI default in cmd/titus/scan.go), loadRules applies pkg/rule/rulesets/default.yml through ApplyRuleset, and that whitelist does not include this new custom.ansible.1 ID. As a result a normal titus scan will never run the Ansible Vault rule; it only appears with --ruleset all or custom rule loading. Please add the rule ID to the default ruleset, or mark/document it as opt-in if excluding it is intentional.

Useful? React with 👍 / 👎.

Comment thread pkg/rule/rules/ansible.yml Outdated
Comment on lines +7 to +11
\$ANSIBLE_VAULT;
\d+\.\d+;
[a-z0-9]+
(?:;[^\s]*)?
(?:\s+[0-9a-f]{16,})+

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Capture the vault block for content dedupe

In the default non-vectorscan build path, NewPortableRegexp deduplicates matches by RuleID plus captured groups (pkg/matcher/dedup.go), but this regex uses only non-capturing groups, so every Ansible Vault block in the same blob has an empty Groups slice and later blocks are treated as duplicates. This means a file containing two different vault-encrypted values reports only the first one; wrap the vault payload or whole block in a real capture group so distinct encrypted secrets are emitted.

Useful? React with 👍 / 👎.

@hugo-syn

hugo-syn commented Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

I took example with #282 but I don't see it in the ruleset default.yml is it normal ?

@michaelweber michaelweber left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving: precise rule anchored on the unique $ANSIBLE_VAULT; magic header — very low false-positive risk (verified: matched a real vault, did not fire on prose mentioning ansible-vault). No performance concern (disjoint-class quantifier, cheap literal prefilter). base_score 45 appropriately reflects that this flags an encrypted blob (an indicator) rather than a directly usable credential.

@michaelweber michaelweber merged commit c5ab7cb into praetorian-inc:main Jul 6, 2026
1 check passed
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Hey @hugo-syn, this should now be resolved. If everything looks good on your end, no action needed. If you're still seeing issues, feel free to reopen and we'll take another look. Thanks for helping us improve!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants