-
Notifications
You must be signed in to change notification settings - Fork 37
Expand file tree
/
Copy pathdebug_enabled.rego
More file actions
105 lines (91 loc) · 2.64 KB
/
debug_enabled.rego
File metadata and controls
105 lines (91 loc) · 2.64 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
# METADATA
# title: CI Runner Debug Enabled
# description: |-
# The workflow is configured to increase the verbosity of the runner.
# This can potentially expose sensitive information.
# related_resources:
# - https://docs.gitlab.com/ee/ci/variables/index.html#enable-debug-logging
# - https://docs.gitlab.com/ee/ci/variables/index.html#mask-a-cicd-variable
# custom:
# level: note
package rules.debug_enabled
import data.poutine
import rego.v1
rule := poutine.rule(rego.metadata.chain())
_gitlab_debug_vars := {"CI_DEBUG_TRACE", "CI_DEBUG_SERVICES"}
results contains poutine.finding(rule, pkg_purl, {
"path": config_path,
"details": concat(" ", sort(vars)),
}) if {
vars := _gitlab_debug_enabled[[pkg_purl, config_path]]
}
_gitlab_debug_enabled[[pkg.purl, config.path]] contains var.name if {
pkg := input.packages[_]
config := pkg.gitlabci_configs[_]
var := config.variables[_]
var.name in _gitlab_debug_vars
lower(var.value) == "true"
}
_gitlab_debug_enabled[[pkg.purl, config.path]] contains var.name if {
pkg := input.packages[_]
config := pkg.gitlabci_configs[_]
var := config.jobs[_].variables[_]
var.name in _gitlab_debug_vars
lower(var.value) == "true"
}
_github_actions_debug_env_vars := {"ACTIONS_STEP_DEBUG", "ACTIONS_RUNNER_DEBUG"}
is_debug_enabled(var) if {
var.name in _github_actions_debug_env_vars
lower(var.value) == "true"
}
results contains poutine.finding(rule, pkg.purl, {
"path": workflow.path,
"details": var.name,
"event_triggers": [event | event := workflow.events[i].name],
}) if {
pkg := input.packages[_]
workflow := pkg.github_actions_workflows[_]
var := workflow.env[_]
is_debug_enabled(var)
}
results contains poutine.finding(rule, pkg.purl, {
"path": workflow.path,
"job": job.id,
"details": var.name,
"line": job.lines.start,
"event_triggers": [event | event := workflow.events[i].name],
}) if {
pkg := input.packages[_]
workflow := pkg.github_actions_workflows[_]
job := workflow.jobs[_]
var := job.env[_]
is_debug_enabled(var)
}
results contains poutine.finding(rule, pkg.purl, {
"path": workflow.path,
"job": job.id,
"step": step_id,
"details": var.name,
"line": step.lines.start,
"event_triggers": [event | event := workflow.events[i].name],
}) if {
pkg := input.packages[_]
workflow := pkg.github_actions_workflows[_]
job := workflow.jobs[_]
step := job.steps[step_id]
var := step.env[_]
is_debug_enabled(var)
}
results contains poutine.finding(rule, pkg.purl, {
"path": pipeline.path,
"job": "",
"step": "1",
"details": key,
"line": 0,
}) if {
pkg := input.packages[_]
pipeline := pkg.azure_pipelines[_]
pipeline.variables.map[key]
key == "system.debug"
pipeline.variables.map[key] == "true"
}