Back to catalog

Environment Variable Contains Secret

No violationsstackroxhighdeploy

Alert on deployments with environment variables that contain 'SECRET'

Rationale
Using secrets in environment variables may allow inspection into your secrets from the host or even through the orchestrator UI.
Remediation
Migrate your secrets from environment variables to orchestrator secrets or your security team's secret management solution.
CategoriesSecurity Best Practices
Compliance mappingsView coverage →
CIS Kubernetes Benchmark v1.8
5.4.1
DORA EU 2022/2554
Art. 9.2
ISO/IEC 27001 2022
A.8.9
NIST SP 800-53 rev. 5
CM-2
PCI DSS 4.0
2.2.1

Generated artifacts

3 of 5 targets supported
environment-variable-contains-secret.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: environment-variable-contains-secret
  annotations:
    policies.kyverno.io/title: Environment Variable Contains Secret
    policies.kyverno.io/category: Security Best Practices
    policies.kyverno.io/severity: high
    policies.kyverno.io/description: Alert on deployments with environment variables that contain 'SECRET'
    policies.kyverno.io/remediation: Migrate your secrets from environment variables to orchestrator secrets or your security team's secret management solution.
    policies.kyverno.io/rationale: Using secrets in environment variables may allow inspection into your secrets from the host or even through the orchestrator UI.
    policies.io/source: stackrox
    policies.io/source-id: f4996314-c3d7-4553-803b-b24ce7febe48
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: environment-variable-contains-secret
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: "Policy \"Environment Variable Contains Secret\" violated: Alert on deployments with environment variables that contain 'SECRET'"
        deny:
          conditions:
            all:
              - key: "{{ request.object.spec.containers[].env[].name || `[]` }}"
                operator: AnyIn
                value:
                  - RAW
      exclude:
        any:
          - resources:
              namespaces:
                - openshift-storage
          - resources:
              namespaces:
                - openshift-storage
          - resources:
              namespaces:
                - openshift-storage
          - resources:
              namespaces:
                - openshift-ocm-agent-operator
          - resources:
              namespaces:
                - openshift-ingress
          - resources:
              namespaces:
                - openshift-image-registry
          - resources:
              namespaces:
                - openshift-user-workload-monitoring
          - resources:
              namespaces:
                - open-cluster-management
          - resources:
              namespaces:
                - multicluster-engine
IR (canonical)
{
  "id": "f4996314-c3d7-4553-803b-b24ce7febe48",
  "name": "Environment Variable Contains Secret",
  "description": "Alert on deployments with environment variables that contain 'SECRET'",
  "rationale": "Using secrets in environment variables may allow inspection into your secrets from the host or even through the orchestrator UI.",
  "remediation": "Migrate your secrets from environment variables to orchestrator secrets or your security team's secret management solution.",
  "severity": "high",
  "categories": [
    "Security Best Practices"
  ],
  "lifecycle": [
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [
    {
      "name": "noobaa-core",
      "namespace": "openshift-storage"
    },
    {
      "name": "noobaa-endpoint",
      "namespace": "openshift-storage"
    },
    {
      "name": "ocs-operator",
      "namespace": "openshift-storage"
    },
    {
      "name": "ocm-agent",
      "namespace": "openshift-ocm-agent-operator"
    },
    {
      "name": "router-default",
      "namespace": "openshift-ingress"
    },
    {
      "name": "image-registry",
      "namespace": "openshift-image-registry"
    },
    {
      "name": "thanos-ruler-user-workload",
      "namespace": "openshift-user-workload-monitoring"
    },
    {
      "name": "klusterlet-addon-controller-v2",
      "namespace": "open-cluster-management"
    },
    {
      "name": "managedcluster-import-controller-v2",
      "namespace": "multicluster-engine"
    }
  ],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "environment-variable",
    "values": [
      "RAW=.*SECRET.*|.*PASSWORD.*="
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "f4996314-c3d7-4553-803b-b24ce7febe48",
  "name": "Environment Variable Contains Secret",
  "description": "Alert on deployments with environment variables that contain 'SECRET'",
  "rationale": "Using secrets in environment variables may allow inspection into your secrets from the host or even through the orchestrator UI.",
  "remediation": "Migrate your secrets from environment variables to orchestrator secrets or your security team's secret management solution.",
  "disabled": false,
  "categories": [
    "Security Best Practices"
  ],
  "lifecycleStages": [
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [
    {
      "name": "Don't alert on deployment noobaa-core in namespace openshift-storage",
      "deployment": {
        "name": "noobaa-core",
        "scope": {
          "cluster": "",
          "namespace": "openshift-storage",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment noobaa-endpoint in namespace openshift-storage",
      "deployment": {
        "name": "noobaa-endpoint",
        "scope": {
          "cluster": "",
          "namespace": "openshift-storage",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment ocs-operator in namespace openshift-storage",
      "deployment": {
        "name": "ocs-operator",
        "scope": {
          "cluster": "",
          "namespace": "openshift-storage",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment ocm-agent in openshift-ocm-agent-operator namespace",
      "deployment": {
        "name": "ocm-agent",
        "scope": {
          "cluster": "",
          "namespace": "openshift-ocm-agent-operator",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on router-default in openshift-ingress namespace",
      "deployment": {
        "name": "router-default",
        "scope": {
          "cluster": "",
          "namespace": "openshift-ingress",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on image-registry in openshift-image-registry namespace",
      "deployment": {
        "name": "image-registry",
        "scope": {
          "cluster": "",
          "namespace": "openshift-image-registry",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on thanos-ruler-user-workload in openshift-user-workload-monitoring namespace",
      "deployment": {
        "name": "thanos-ruler-user-workload",
        "scope": {
          "cluster": "",
          "namespace": "openshift-user-workload-monitoring",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on klusterlet-addon-controller-v2 in namespace open-cluster-management",
      "deployment": {
        "name": "klusterlet-addon-controller-v2",
        "scope": {
          "cluster": "",
          "namespace": "open-cluster-management",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on managedcluster-import-controller-v2 in namespace multicluster-engine",
      "deployment": {
        "name": "managedcluster-import-controller-v2",
        "scope": {
          "cluster": "",
          "namespace": "multicluster-engine",
          "label": null
        }
      },
      "image": null
    }
  ],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Environment Variable",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "RAW=.*SECRET.*|.*PASSWORD.*="
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}