API keys transmitted over cleartext
Description
This policy is essentially checking for instances where API keys may be sent over unencrypted, plain text. The danger or risk associated with violation of this policy is that it could lead to potential security breaches. If API keys are sent over clear text, it could potentially be intercepted and inappropriately used by malicious third parties, leading to unauthorized access, data theft or other harmful malicious activities.
Code Example
yaml
openapi: 3.0.0
info:
title: Secure API
version: 1.0.0
servers:
- url: https://api.example.com
description: Secure server
components:
securitySchemes:
ApiKeyAuth:
type: apiKey
in: header
name: X-API-KEY
paths:
/secureEndpoint:
get:
summary: Secure endpoint requiring API key
security:
- ApiKeyAuth: []
responses:
'200':
description: SuccessRemediation
OpenAPI
To address the issue, we need to create an OpenAPI specification that follows secure communication protocols and proper API key handling. Here's an example OpenAPI spec in YAML format that would comply with this policy:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1276 |
| Severity | HIGH |
| IaC Type | OpenAPI |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_OPENAPI_20 |