Secrets Policy Settings
Last updated
Was this helpful?
Last updated
Was this helpful?
Arnica's policies unlock the power of real-time code risk scanning and leverage ChatOps to seamlessly integrate into the developers' day to day work. This section will highlight the different capabilities of the secrets policy and guide you in setting up the policies.
All policies can be configured in the . These policies are comprised of general configurations and policy rules. General settings and policy rules come with default configurations that govern out of the box event-driven behavior.
The configurations section provides advanced settings that each customer can change. These configurations take effect across the tenant, and will be applied to all defined secret scanning rules.
Customers with proprietary hardcoded secrets can configure custom hardcoded secret detection patterns.
To add custom secrets, click on add
in the Custom Secrets
section in the secrets category and then add the secret regex in a go compilable format. Modify the risk severity and name you want to appear in each finding and click on save
.
Arnica comes pre-configured with default paths and files that are being excluded from scanning to reduce the false positives rate. These paths are known to produce a high false positive rate based on common repository forks and example paths.
To add a custom ignore path, click on add
, provide a go
compilable regular expression, pick a name and click on save
.
Arnica's rules are executed when triggers are configured, such as git push event. The identification of the code risks is scoped with specific conditions, such as a specific code repository with at least high severity risk. When these conditions are met, Arnica executes the selected actions, such as sending an instant message to the code pusher and mitigating the secret via git reset.
The only supported trigger for the hardcoded secrets functionality is git push
. Every time a developer pushes code with 1 or more commits, they are analyzed in real time.
The supported conditions are:
Always (TRUE): This condition will always evaluate to true. A good use of this policy is to see all real-time results as developers push code.
Any of (OR): a logical operator that is set to true if any of the sub-conditions (any of the conditions on this list) are matched in the context of the executed trigger.
All of (AND): a logical operator that is set to true if all of the sub-conditions (any of the conditions on this list) are matched in the context of the executed trigger.
Reverse (NOT): allows you to negate a specific sub-condition (consider false if the sub-condition is true and vice versa).
Source Code Management: if multiple source code management platforms are integrated into Arnica, such as Github and Azure DevOps, a specific platform can be selected.
Organization: if multiple organizations or workspaces are integrated, this condition can be used to select a specific organization.
Project: allows the selection of a specific project in the organization. Note: this only applies to SCMs with project hierarchy. If the SCM does not support a project hierarchy, the condition will always return true
.
Repository: allows the selection of a specific source code repository.
Branch: this condition allows the selection of the impacted branch (regular expression) of the triggered event. In the case of a pull request trigger, the branch is matched against the source branch (where the vulnerability is introduced).
Actions are executed only when the conditions within the policy rule are met.
Arnica can send instant messages to one or more of the following:
Specific recipient: Arnica can send a direct message to a user or channel. For example, a common use case is to send notifications to shared security teams upon identification of hardcoded secrets based on given conditions.
Customers are encouraged to define multiple rules. The rules in the policy are executed in order - if there is a match in the trigger and conditions, Arnica will execute the actions listed for that rule and stop processing other rules.
A good resource to test your go compatible regular expressions would be . Pick the golang
flavor on the left side bar and tweak your regular expressions as needed.
Product: allows the selection of a specific product as defined in .
Severity: selects the minimum risk severity of a finding. In this case, only or will have a severity.
Secret Validation Status: allows the selection of a .
Recipient(s) lookup: Arnica can lookup the user based on the context of the trigger. When a git push event occurs, Arnica can send a message to the user who authored, committed or pushed the hardcoded secret. Arnica can also select the remediation owners as defined in .
An example of an instant message notification can be found in the .
Additionally, Arnica can mitigate hardcoded secrets for the developer, as described in more detail in the .