Detect custom keywords and secrets in containers and IaC files
With the Veracode CLI, you can configure and detect custom keywords and secrets relevant to your organization. This allows you to identify sensitive information, such as credit card numbers, CI/CD token values, or any other proprietary secrets.
To ensure accurate and organization-specific detection based on defined keywords and secret patterns, you configure the settings in your veracode.yml.
Add rules to veracode.yml file
-
Edit the
veracode.ymlfile in your.veracodedirectory. -
Under
container_scan:, add asecret-rules:section that includes a bulleted list of rules you want to apply to your container and Infrastructure as Code (IaC) scans. For example:api:
key-id: 1*************1****
key-secret: c*********************************************************a
container_scan:
secret-rules:
- id: test for app secrets
category: Passwords
title: App Secret
severity: HIGH
group-name: secret
regex: (?i)(?P<key>APP_SECRET_KEY)\s*[:=]*\s*(?P<secret>[^\s,]*)
- id: Test for app id
category: Passwords
title: App ID
severity: HIGH
group-name: secret
regex: (?i)(?P<key>APP_ID)\s*[:=]*\s*(?P<secret>[^\s,]*)To create rules, see Secret rule configuration.
-
Ensure that there are no syntax errors in the file.
-
Save your changes.
-
To scan a directory in your project where you want to detect secrets, run:
./veracode scan --source <you_project_directory> --type directory -
Review your results.
Secret rule configuration
In the veracode.yml file in your .veracode directory, you can add custom rules for detecting secrets. The rules contain the following values:
| Value | Description | Example |
|---|---|---|
id Required | Descriptive identifier for the rule. | Test for Azure client id and tenant id |
category | The category of secret, such as passwords, keys, or tokens. | Passwords |
title Required | Brief title for the rule. | Client ID |
severity Required | The relative importance of the rule, in terms of its impact on the security of your containers and IaC. | HIGH |
group-name | Name you can use to categorize rules for reporting or organizational purposes. | API keys |
regex Required | Regular expression that defines the pattern to use when searching for secrets in the scanned files. Must match the RE2 syntax. | (?i)(?P<key>APP_ID)\s*[:=]*\s*(?P<secret>[^\s,]*) |
Example results
In the following example results, the scan detects secrets titled App ID and App Secret Key in a scanned YML file. Both secrets have a severity of HIGH and are in the Passwords category.
{
"Class": "secret",
"Secrets": [
{
"Category": "Passwords",
"Code": {
"Lines": [
{
"Annotation": "",
"Content": " enabled: true",
"FirstCause": false,
"Highlighted": " enabled: true",
"IsCause": false,
"LastCause": false,
"Number": 2,
"Truncated": false
},
{
"Annotation": "",
"Content": " values:",
"FirstCause": false,
"Highlighted": " values:",
"IsCause": false,
"LastCause": false,
"Number": 3,
"Truncated": false
},
{
"Annotation": "",
"Content": " ***********************",
"FirstCause": true,
"Highlighted": " ***********************",
"IsCause": true,
"LastCause": true,
"Number": 4,
"Truncated": false
},
{
"Annotation": "",
"Content": " ************************",
"FirstCause": false,
"Highlighted": " ************************",
"IsCause": false,
"LastCause": false,
"Number": 5,
"Truncated": false
}
]
},
"EndLine": 4,
"Layer": {},
"Match": " ***********************",
"RuleID": "Test for app id",
"Severity": "HIGH",
"StartLine": 4,
"Title": "App ID"
},
{
"Category": "Passwords",
"Code": {
"Lines": [
{
"Annotation": "",
"Content": " values:",
"FirstCause": false,
"Highlighted": " values:",
"IsCause": false,
"LastCause": false,
"Number": 3,
"Truncated": false
},
{
"Annotation": "",
"Content": " ***********************",
"FirstCause": false,
"Highlighted": " ***********************",
"IsCause": false,
"LastCause": false,
"Number": 4,
"Truncated": false
},
{
"Annotation": "",
"Content": " ************************",
"FirstCause": true,
"Highlighted": " ************************",
"IsCause": true,
"LastCause": true,
"Number": 5,
"Truncated": false
},
{
"Annotation": "",
"Content": " LOG_LEVEL: info",
"FirstCause": false,
"Highlighted": " LOG_LEVEL: info",
"IsCause": false,
"LastCause": false,
"Number": 6,
"Truncated": false
}
]
},
"EndLine": 5,
"Layer": {},
"Match": " ************************",
"RuleID": "test for secrets",
"Severity": "HIGH",
"StartLine": 5,
"Title": "App Secret key"
}
],
"Target": "values-prd.yml"
}