☑️ Prevent exposed New Relic secrets inobjects
Kubernetes objects may need to use secret data in their configs such as passwords/tokens/etc. Providing such sensitive data in plain-text is risky and highly unrecommended, as it can be stolen and used maliciously.
Different tools have different secrets, each with its own convention and format.
The gitleaks project aggregates such tools and stays up-to-date with their secret data format.
Targeted objects by this rule (types of kind
): All
Complexity: medium (
)Policy as code identifier: ALL_EXPOSED_SECRET_NEWRELIC
This rule will fail
If a New Relic browser API token, user API ID, and/or user API key are present anywhere in the config:
API_TOKEN: new-relicpyr4d3v=>=``"NRJS-3d4426609cb13989018
API_ID: new_relic4n1dgwvcqyy:='crx8cnxi95wf3zk6oiq6m9dz6tr2fumiflczgwpaheh1snz57pvo5j9aoz8xbp79
API_KEY: new-relic3pp1u.pd3spt9ylr4||:NRAK-znt937p38jzna42mcdk8l1gczhm
Rule output in the CLI
$ datree test *.yaml
>> File: failExample.yaml
❌ Prevent exposed New Relic secrets in objects [1 occurrence]
💡 Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen
How to fix this failure
Do not put sensitive data in any config. Kubernetes offers the handy Secret object to handle this.
If you do not wish to use Secrets, take a look at these available alternatives.