Exposing secrets as environment variables can be risky, as they can be easily exposed through logs or other means.
apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
name: spotter-data-002
labels:
severity: "high"
category: "data"
annotations:
rules.spotter.dev/title: "Secret Exposed as Environment Variable"
rules.spotter.dev/version: "1.0.0"
rules.spotter.dev/cwe: "CWE-522"
rules.spotter.dev/description: "Exposing secrets as environment variables can be risky, as they can be easily exposed through logs or other means."
spec:
match:
resources:
kubernetes:
apiGroups:
- ""
- "apps"
versions:
- "v1"
kinds:
- Pod
- Deployment
- StatefulSet
- DaemonSet
- Job
namespaces:
include: ["*"]
exclude: ["kube-system", "kube-public"]
labels:
exclude:
rules.spotter.dev/ignore: ["true"]
cel: |
(object.kind == 'Pod' && has(object.spec.containers) && object.spec.containers.exists(c,
(has(c.env) && c.env.exists(e, has(e.valueFrom) && has(e.valueFrom.secretKeyRef))) ||
(has(c.envFrom) && c.envFrom.exists(ef, has(ef.secretRef)))
)) ||
(object.kind != 'Pod' && has(object.spec.template.spec.containers) && object.spec.template.spec.containers.exists(c,
(has(c.env) && c.env.exists(e, has(e.valueFrom) && has(e.valueFrom.secretKeyRef))) ||
(has(c.envFrom) && c.envFrom.exists(ef, has(ef.secretRef)))
))
remediation:
manual: "Use a volume to mount the secret into the pod instead of exposing it as an environment variable."
references:
- title: "Kubernetes Secrets"
url: "https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod"