semgrep-rules/yaml/ansible/apt-key-validate-certs-disabled.yaml at main · trailofbits/semgrep-rules · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
rules:
  - id: apt-key-validate-certs-disabled
    message: Found apt key with SSL verification disabled
    languages: [yaml]
    severity: WARNING
    metadata:
      category: security
      cwe: "CWE-295: Improper Certificate Validation"
      subcategory: [audit]
      technology: [ansible, apt]
      confidence: HIGH
      likelihood: HIGH
      impact: HIGH
      references:
        - https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_key_module.html#parameter-validate_certs
    patterns:
      - pattern-inside: |
          $APTKEY:
            ...
            url: ...
            ...
      - metavariable-pattern:
          metavariable: $APTKEY
          pattern-either:
            - pattern: apt_key
            - pattern: ansible.builtin.apt_key
      - pattern: "$KEY: $VALUE"
      - metavariable-pattern:
          metavariable: $KEY
          pattern-either:
            - pattern: validate_certs
      - metavariable-pattern:
          metavariable: $VALUE
          pattern-either:
            - pattern: "false"