feat(rule): add Ansible Vault Encrypted Secret#305
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
WalkthroughThis PR adds a new YAML rule for detecting Ansible Vault encrypted secrets and adds that rule to the default ruleset. The rule matches ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: bf5f4dfb66
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| @@ -0,0 +1,26 @@ | |||
| rules: | |||
| - name: Ansible Vault Encrypted Secret | |||
| id: custom.ansible.1 | |||
There was a problem hiding this comment.
Add the new rule to the default ruleset
With scan --ruleset default (the CLI default in cmd/titus/scan.go), loadRules applies pkg/rule/rulesets/default.yml through ApplyRuleset, and that whitelist does not include this new custom.ansible.1 ID. As a result a normal titus scan will never run the Ansible Vault rule; it only appears with --ruleset all or custom rule loading. Please add the rule ID to the default ruleset, or mark/document it as opt-in if excluding it is intentional.
Useful? React with 👍 / 👎.
| \$ANSIBLE_VAULT; | ||
| \d+\.\d+; | ||
| [a-z0-9]+ | ||
| (?:;[^\s]*)? | ||
| (?:\s+[0-9a-f]{16,})+ |
There was a problem hiding this comment.
Capture the vault block for content dedupe
In the default non-vectorscan build path, NewPortableRegexp deduplicates matches by RuleID plus captured groups (pkg/matcher/dedup.go), but this regex uses only non-capturing groups, so every Ansible Vault block in the same blob has an empty Groups slice and later blocks are treated as duplicates. This means a file containing two different vault-encrypted values reports only the first one; wrap the vault payload or whole block in a real capture group so distinct encrypted secrets are emitted.
Useful? React with 👍 / 👎.
|
I took example with #282 but I don't see it in the ruleset |
michaelweber
left a comment
There was a problem hiding this comment.
Approving: precise rule anchored on the unique $ANSIBLE_VAULT; magic header — very low false-positive risk (verified: matched a real vault, did not fire on prose mentioning ansible-vault). No performance concern (disjoint-class quantifier, cheap literal prefilter). base_score 45 appropriately reflects that this flags an encrypted blob (an indicator) rather than a directly usable credential.
|
Hey @hugo-syn, this should now be resolved. If everything looks good on your end, no action needed. If you're still seeing issues, feel free to reopen and we'll take another look. Thanks for helping us improve! |
No description provided.