Checkmarx · ArturRibeiro-CX · Feb 26, 2025 · Feb 27, 2025 · Feb 28, 2025 · Mar 5, 2025
@@ -16,6 +16,14 @@
         {
           "description": "Avoiding Ansible playbook update_password",
           "regex": "['\"]?update_password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?"
+        },
+        {
+          "description": "Allow passwords retrieved from Terraform data sources",
+          "regex": "(?i)['\"]?password['\"]?\\s*=\\s*data\\.azurerm_key_vault_secret\\.[A-Za-z0-9_]+\\.value"
+        },
+        {
+          "description": "Allow passwords retrieved from AWS KMS Secrets",
+          "regex": "(?i)['\"]?password['\"]?\\s*=\\s*data\\.aws_kms_secrets\\.[A-Za-z0-9_]+\\.plaintext\\[\"[A-Za-z0-9_]+\"\\]"
         }
       ],
       "specialMask": "(?i)['\"]?password['\"]?\\s*[:=]\\s*"

@@ -0,0 +1,44 @@
+provider "azurerm" {
+  features {}
+}
+
+# Example of using an existing Key Vault and secret
+data "azurerm_key_vault" "example" {
+  name                = "your-key-vault-name"
+  resource_group_name = "your-resource-group"
+}
+
+data "azurerm_key_vault_secret" "LinuxVmPassword" {
+  name          = "your-secret-name"
+  key_vault_id  = data.azurerm_key_vault.example.id
+}
+
+resource "azurerm_linux_virtual_machine" "example_vm" {
+  name                = "example-vm"
+  resource_group_name = "your-resource-group"
+  location            = "your-location"
+  size                = "Standard_DS1_v2"
+  admin_username      = "adminuser"
+  admin_password      = data.azurerm_key_vault_secret.LinuxVmPassword.value
+
+  network_interface_ids = [
+    # Your network interface ID
+  ]
+
+  os_disk {
+    caching              = "ReadWrite"
+    storage_account_type = "Standard_LRS"
+  }
+
+  source_image_reference {
+    publisher = "Canonical"
+    offer     = "UbuntuServer"
+    sku       = "18.04-LTS"
+    version   = "latest"
+  }
+}
+
+output "vm_password" {
+  value     = data.azurerm_key_vault_secret.LinuxVmPassword.value
+  sensitive = true
+}
@@ -0,0 +1,17 @@
+data "template_file" "sci_integration_app_properties_secret_template" {
+  template = file(join("", ["/secrets/sci-integration-app", var.resource_identifier_shorthand], ".json"))
+
+  vars = {
+    ayreshirerarran_password   = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["ayreshirerarran_password"]
+    lanark_password            = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["lanark_password"]
+    tayside_password           = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["tayside_password"]
+    glasgow_password           = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["glasgow_password"]
+    grampian_password          = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["grampian_password"]
+    highland_password          = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["highland_password"]
+    westernisles_password      = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["westernisles_password"]
+    dumfriesandgalloway_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["dumfriesandgalloway_password"]
+    forthvalley_password       = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["forthvalley_password"]
+    borders_password           = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["borders_password"]
+    lothian_password           = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["lothian_password"]
+  }
+}
@@ -17,4 +17,5 @@ services:
       - "5432:5432"
     environment:
       - POSTGRES_USER=postgres
-      - POSTGRES_PASSWORD=postgres
+      - POSTGRES_PASSWORD=postgres
+      - POSTGRES_PASSWORD=string
@@ -383,6 +383,12 @@
     "line": 20,
     "fileName": "positive46.yaml"
   },
+  {
+    "queryName": "Passwords And Secrets - Generic Password",
+    "severity": "HIGH",
+    "line": 21,
+    "fileName": "positive46.yaml"
+  },
   {
     "queryName": "Passwords And Secrets - Google OAuth",
     "severity": "HIGH",

@@ -121,7 +121,7 @@ require (
 	github.com/boombuler/barcode v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
-	github.com/containerd/containerd v1.7.24 // indirect
+	github.com/containerd/containerd v1.7.26 // indirect
 	github.com/cyphar/filepath-securejoin v0.3.6 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/docker/cli v27.5.0+incompatible // indirect

@@ -298,8 +298,8 @@ github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWH
 github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM=
 github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0=
 github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0=
-github.com/containerd/containerd v1.7.24 h1:zxszGrGjrra1yYJW/6rhm9cJ1ZQ8rkKBR48brqsa7nA=
-github.com/containerd/containerd v1.7.24/go.mod h1:7QUzfURqZWCZV7RLNEn1XjUCQLEf0bkaK4GjUaZehxw=
+github.com/containerd/containerd v1.7.26 h1:3cs8K2RHlMQaPifLqgRyI4VBkoldNdEw62cb7qQga7k=
+github.com/containerd/containerd v1.7.26/go.mod h1:m4JU0E+h0ebbo9yXD7Hyt+sWnc8tChm7MudCjj4jRvQ=
 github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4=
 github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=
 github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=