Base64 High Entropy Strings
Description
Entropy checks help detect unstructured secrets by measuring the entropy level of a single string. Entropy is a concept used to assign a numerical score to how unpredictable a password is or the likelihood of highly random data in a string of characters. Strings with a high entropy score are flagged as suspected secrets.
Code Example
resource "aws_glue_connection" "examplevpc" {
connection_properties = {
JDBC_CONNECTION_URL = "jdbc:mysql://${aws_rds_cluster.example.endpoint}/exampledatabase"
- PASSWORD = "valuethatdoesntcontainsecretword"
USERNAME = "exampleusername"
}
name = "example"
physical_connection_requirements {
availability_zone = aws_subnet.example.availability_zone
security_group_id_list = [aws_security_group.example.id]
subnet_id = aws_subnet.example.id
}
}Remediation
Multiple Services
. Revoke the exposed secret. + Start by understanding what services were impacted and refer to the corresponding API documentation to learn how to revoke and rotate the secret.
. Clean the git history. + Go under the settings section of your GitHub project and chose the change visibility button at the bottom.
. Check any relevant access logs to ensure the key was not utilized during the compromised period.
=== Fix - Terraform
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1305 |
| Severity | LOW |
| IaC Type | secrets |
| Frameworks | Git |
| Checkov ID | CKV_SECRET_6 |