Base64 High Entropy String
Bridgecrew Policy ID: BC_GIT_6
Checkov Check ID: CKV_SECRET_6
Severity: LOW
Base64 High Entropy Strings
Description
Entropy checks help detect unstructured secrets by measuring the entropy level of a single string. Entropy is a concept used to assign a numerical score to how unpredictable a password is or the likelihood of highly random data in a string of characters. Strings with a high entropy score are flagged as suspected secrets.
Fix - Buildtime
Multiple Services
Step 1: Revoke the exposed secret.
Start by understanding what services were impacted and refer to the corresponding API documentation to learn how to revoke and rotate the secret.
Step 2: Clean the git history.
Go under the settings section of your GitHub project and chose the change visibility button at the bottom.
Step 3: Check any relevant access logs to ensure the key was not utilized during the compromised period.
Fix - Terraform
resource "aws_glue_connection" "examplevpc" {
connection_properties = {
JDBC_CONNECTION_URL = "jdbc:mysql://${aws_rds_cluster.example.endpoint}/exampledatabase"
- PASSWORD = "valuethatdoesntcontainsecretword"
USERNAME = "exampleusername"
}
name = "example"
physical_connection_requirements {
availability_zone = aws_subnet.example.availability_zone
security_group_id_list = [aws_security_group.example.id]
subnet_id = aws_subnet.example.id
}
}
Don't hardcode the secret in the resource, pull in dynamically from a secret source of your choice e.g. AWS parameter store, and if already committed to source follow the git instructions stated previously.
Updated 4 months ago