Codestin Search App

cx-andre-pereira · 2025-09-11T10:08:26Z

Reason for Proposed Changes

Currently the regex_rules from passwords and secrets are flagging the following fields :

"HTTP_-_Get_OAuth_Token" : ...
"Parse_JSON_-_OAuth_Token": ...
"Try_-_Get_OAuth_Token": ...
"Catch_-_Get_OAuth_Token": ...

These should be assumed as "Microsoft.Logic workflows" actions since they follow a specific naming convention and can only have preset values (7 possible) and not sensitive information.
These False Positives are happening when "actions" with "runAfter" triggers define said triggers as such:

"runAfter_164": {
       "HTTP_-_Get_OAuth_Token": [
                                     "Succeeded"
                               ]
        }

or

"runAfter_164": {
       "HTTP_-_Get_OAuth_Token": ["Succeeded"]
        }

Given the limitations of the passwords_and_secrets's queries it is impossible to distinguish these cases in scenarios that rely on different naming schemes that also finish with "token". An action like "HTTP2_-_Get_OAuth_Token" would also be flagged even after this fix because it is impossible to predict how a user will name an action.
Considering the first example it is also impossible to filter by value associated with the field like "Succeeded". Since the scan will be line by line it is likely that said value is not available; otherwise , knowing the 7 possible values, the filtering process could be applicable to many more samples and still safe enough to not cause new False Negatives.

Proposed Changes

Added a new "allowRules" rule to the "Generic Token" query:

{
   "description": "Avoiding Run After Triggers",
   "regex": "(?i)['\"](HTTP|Parse_JSON|Try|Catch)_-_(Get_)?OAuth_Token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
}

Added a test "negative56.json" with all 4 fields to be ignored.
Finally, after fix(query): added two new allowRules on "Generic Secret" and "Generic Token" queries from Passwords and Secrets #7698 was merged some negative test naming isues were apparent, there were 2 negative54 tests (from previous PRs) and 2 negative56 tests, these did not cause issues because their file types were different but the naming was now corrected so that there are 58 tests in total finishing with negative58.bicep.

I submit this contribution under the Apache-2.0 license.

github-actions · 2025-09-11T10:09:04Z

KICS version: v2.1.13

	Category	Results
	CRITICAL	0
	HIGH	0
	MEDIUM	0
	LOW	0
	INFO	0
	TRACE	0
	TOTAL	0

Metric	Values
Files scanned	1
Files parsed	1
Files failed to scan	0
Total executed queries	47
Queries failed to execute	0
Execution time	0

…c_Token_ARM

cx-artur-ribeiro

Despite the description, all good to me.

assets/queries/common/passwords_and_secrets/regex_rules.json

…12469-FP-Passwords_and_Secrets_Generic_Token_ARM

gitguardian · 2025-09-23T14:34:37Z

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secret in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
20838717	Triggered	Generic Password	`51230b8`	assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/test/negative8.json	View secret

🛠 Guidelines to remediate hardcoded secrets

Understand the implications of revoking this secret by investigating where it is used in your code.
Replace and store your secret safely. Learn here the best practices.
Revoke and rotate this secret.
If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

following these best practices for managing and storing secrets including API keys and other credentials
install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

…c_Token_ARM

cx-artur-ribeiro

LGTM

…c_Token_ARM

cx-artur-ribeiro

LGTM

added 'Avoiding Run After Triggers' rule to regex_rules and related test

c679c48

github-actions bot added the query New query feature label Sep 11, 2025

cx-andre-pereira added 2 commits September 11, 2025 11:53

improved test

3259aa4

Merge branch 'master' into AST-112469-FP-Passwords_and_Secrets_Generi…

0d53bfb

…c_Token_ARM

github-actions bot added arm Azure Resource Manager query azure PR related with Azure Cloud labels Sep 11, 2025

cx-andre-pereira marked this pull request as ready for review September 11, 2025 12:53

cx-andre-pereira requested a review from a team as a code owner September 11, 2025 12:53

cx-artur-ribeiro assigned cx-andre-pereira Sep 17, 2025

cx-artur-ribeiro requested changes Sep 23, 2025

View reviewed changes

assets/queries/common/passwords_and_secrets/regex_rules.json Outdated Show resolved Hide resolved

cx-andre-pereira added 2 commits September 23, 2025 15:28

Merge branch 'master' of https://github.com/Checkmarx/kics into AST-1…

51230b8

…12469-FP-Passwords_and_Secrets_Generic_Token_ARM

improved allowRule description

241f6f5

Merge branch 'master' into AST-112469-FP-Passwords_and_Secrets_Generi…

bc4fb38

…c_Token_ARM

cx-artur-ribeiro previously approved these changes Sep 23, 2025

View reviewed changes

Merge branch 'master' into AST-112469-FP-Passwords_and_Secrets_Generi…

796bb1f

…c_Token_ARM

cx-andre-pereira dismissed cx-artur-ribeiro’s stale review via 796bb1f September 24, 2025 09:29

cx-andre-pereira added 2 commits September 24, 2025 10:31

fix negative test naming

770869e

Merge branch 'master' into AST-112469-FP-Passwords_and_Secrets_Generi…

f6e7339

…c_Token_ARM

cx-artur-ribeiro approved these changes Sep 24, 2025

View reviewed changes

cx-ricardo-jesus merged commit a56d84e into master Sep 24, 2025
26 of 27 checks passed

cx-ricardo-jesus deleted the AST-112469-FP-Passwords_and_Secrets_Generic_Token_ARM branch September 24, 2025 17:32

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(query): passwords and secrets fp for run after triggers#7713

fix(query): passwords and secrets fp for run after triggers#7713
cx-ricardo-jesus merged 9 commits intomasterfrom
AST-112469-FP-Passwords_and_Secrets_Generic_Token_ARM

cx-andre-pereira commented Sep 11, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Sep 11, 2025 •

edited

Loading

Uh oh!

cx-artur-ribeiro left a comment

Uh oh!

Uh oh!

gitguardian bot commented Sep 23, 2025 •

edited

Loading

Uh oh!

cx-artur-ribeiro left a comment

Uh oh!

cx-artur-ribeiro left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Comments

Conversation

cx-andre-pereira commented Sep 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Sep 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

cx-artur-ribeiro left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

gitguardian bot commented Sep 23, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Uh oh!

cx-artur-ribeiro left a comment

Choose a reason for hiding this comment

Uh oh!

cx-artur-ribeiro left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Comments

cx-andre-pereira commented Sep 11, 2025 •

edited

Loading

github-actions bot commented Sep 11, 2025 •

edited

Loading

gitguardian bot commented Sep 23, 2025 •

edited

Loading