admin/nuclei-templates
1
0
Fork 0
mirror of https://github.com/projectdiscovery/nuclei-templates.git synced 2026-02-01 08:13:29 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
ba03e54063a94de8155adf476dc07e5b39bca341
nuclei-templates/cloud/gcp/function/gcloud-func-secrets-unmanaged.yaml
Prince Chaddha ea7a5969c8 Revert "chore: update TemplateMan 🤖" 
This reverts commit c31d574176.
2025-05-27 10:39:47 +08:00

78 lines
2.4 KiB
YAML
Raw Blame History

id: gcloud-func-secrets-unmanaged
info:
name: Use Secrets Manager for Managing Secrets in Google Cloud Functions
author: princechaddha
severity: medium
description: |
To prevent unauthorized access or accidental exposure of sensitive information, ensure that Secrets Manager service is used to store and manage secrets instead of storing them in cleartext within Cloud Functions environment variables.
impact: |
Storing secrets in environment variables without encryption can expose sensitive information to unauthorized access, potentially leading to security breaches and compliance issues.
remediation: |
Refactor your Google Cloud Functions to use Secrets Manager for managing sensitive configuration settings instead of storing them directly in environment variables.
reference:
- https://cloud.google.com/functions/docs/securing/managing-secrets
tags: cloud,devops,gcp,gcloud,google-cloud-functions,gcp-cloud-config
flow: |
code(1)
for(let projectId of iterate(template.projectIds)){
set("projectId", projectId)
code(2)
for(let functionName of iterate(template.functions)){
set("functionName", functionName)
code(3)
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
gcloud projects list --format="json(projectId)"
extractors:
- type: json
name: projectIds
internal: true
json:
- '.[].projectId'
- engine:
- sh
- bash
source: |
gcloud functions list --project $projectId --format="json(name)"
extractors:
- type: json
name: functions
internal: true
json:
- '.[].name'
- engine:
- sh
- bash
source: |
gcloud functions describe $functionName --format="json(serviceConfig.environmentVariables,buildConfig.environmentVariables)"
matchers:
- type: word
words:
- 'PASSWORD'
- 'API_KEY'
- 'SECRET_KEY'
- 'ACCESS_TOKEN'
- 'TOKEN'
case-insensitive: true
condition: or
extractors:
- type: dsl
dsl:
- '"Sensitive information found in environment variables for function: " + functionName + ", Project: " + projectId'
# digest: 4a0a00473045022100e990f9b65300b3b54057775bf8ae1b94bd107ba5a3196832aa226ae9ddfee08d02202b6647b244be5159434a48b5d76dd66c833a6de473ab15128114639326f01dc9:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink