id: gcloud-func-secrets-unmanaged

info:
  name: Use Secrets Manager for Managing Secrets in Google Cloud Functions
  author: princechaddha
  severity: medium
  description: |
    To prevent unauthorized access or accidental exposure of sensitive information, ensure that Secrets Manager service is used to store and manage secrets instead of storing them in cleartext within Cloud Functions environment variables.
  impact: |
    Storing secrets in environment variables without encryption can expose sensitive information to unauthorized access, potentially leading to security breaches and compliance issues.
  remediation: |
    Refactor your Google Cloud Functions to use Secrets Manager for managing sensitive configuration settings instead of storing them directly in environment variables.
  reference:
    - https://cloud.google.com/functions/docs/securing/managing-secrets
  tags: cloud,devops,gcp,gcloud,google-cloud-functions,gcp-cloud-config

flow: |
  code(1)
  for(let projectId of iterate(template.projectIds)){
    set("projectId", projectId)
    code(2)
    for(let functionName of iterate(template.functions)){
      set("functionName", functionName)
      code(3)
    }
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud projects list --format="json(projectId)"

    extractors:
      - type: json
        name: projectIds
        internal: true
        json:
          - '.[].projectId'

  - engine:
      - sh
      - bash
    source: |
      gcloud functions list --project $projectId --format="json(name)"

    extractors:
      - type: json
        name: functions
        internal: true
        json:
          - '.[].name'

  - engine:
      - sh
      - bash
    source: |
      gcloud functions describe $functionName --format="json(serviceConfig.environmentVariables,buildConfig.environmentVariables)"

    matchers:
      - type: word
        words:
          - 'PASSWORD'
          - 'API_KEY'
          - 'SECRET_KEY'
          - 'ACCESS_TOKEN'
          - 'TOKEN'
        case-insensitive: true
        condition: or

    extractors:
      - type: dsl
        dsl:
          - '"Sensitive information found in environment variables for function: " + functionName + ", Project: " + projectId'
# digest: 4a0a00473045022100e990f9b65300b3b54057775bf8ae1b94bd107ba5a3196832aa226ae9ddfee08d02202b6647b244be5159434a48b5d76dd66c833a6de473ab15128114639326f01dc9:922c64590222798bb761d5b6d8e72950