Security definitions uses basic auth
Description
This policy checks to ensure that security definitions in a version 2.0 file do not use basic authentication. Using basic authentication is predominantly not considered a secure practice as it involves sending user credentials (username and password) in an unencrypted form over the network. This increases the risk of sensitive data being intercepted by unauthorized personnel, which can lead to possible data breaches or other security incidents. It is generally recommended to use more secure authentication methods such as tokens, hashes, or keys.
Code Example
securityDefinitions: {
bearerAuth: {
type: "apiKey",
name: "Authorization",
in: "header"
}
}Remediation
OpenAPI
You should avoid using basic authentication in security definitions for version 2.0 files as it is not considered a secure method of authorization. Instead, opt for more secure forms of authentication. This could include certificate-based client authentication, third-party single sign-on, or other more secure methods which provide stronger security and data protection.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1269 |
| Severity | HIGH |
| IaC Type | OpenAPI |
| Frameworks | OpenAPI |
| Checkov ID | CKV_OPENAPI_13 |