{"id":22930710,"url":"https://github.com/kubewarden/env-variable-secrets-scanner-policy","last_synced_at":"2025-06-28T02:38:31.037Z","repository":{"id":61705306,"uuid":"548961187","full_name":"kubewarden/env-variable-secrets-scanner-policy","owner":"kubewarden","description":"A Kubewarden Policy that detects secrets (ssh private keys, API tokens, etc) leaked via environment variables","archived":false,"fork":false,"pushed_at":"2025-06-12T03:47:28.000Z","size":317,"stargazers_count":5,"open_issues_count":2,"forks_count":3,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-06-12T04:37:28.943Z","etag":null,"topics":["hacktoberfest","kubernetes","kubernetes-security","kubewarden-policy","policy-as-code","webassembly"],"latest_commit_sha":null,"homepage":"https://kubewarden.io","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kubewarden.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-10-10T13:07:01.000Z","updated_at":"2025-06-09T08:30:17.000Z","dependencies_parsed_at":"2023-11-07T09:27:25.768Z","dependency_job_id":"5297bfdc-66bb-4891-b873-237993ca9bdd","html_url":"https://github.com/kubewarden/env-variable-secrets-scanner-policy","commit_stats":null,"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"purl":"pkg:github/kubewarden/env-variable-secrets-scanner-policy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubewarden%2Fenv-variable-secrets-scanner-policy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubewarden%2Fenv-variable-secrets-scanner-policy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubewarden%2Fenv-variable-secrets-scanner-policy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubewarden%2Fenv-variable-secrets-scanner-policy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kubewarden","download_url":"https://codeload.github.com/kubewarden/env-variable-secrets-scanner-policy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubewarden%2Fenv-variable-secrets-scanner-policy/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262364888,"owners_count":23299663,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacktoberfest","kubernetes","kubernetes-security","kubewarden-policy","policy-as-code","webassembly"],"created_at":"2024-12-14T10:29:26.204Z","updated_at":"2025-06-28T02:38:31.026Z","avatar_url":"https://github.com/kubewarden.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Kubewarden Policy Repository](https://github.com/kubewarden/community/blob/main/badges/kubewarden-policies.svg)](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#policy-scope)\n[![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#stable)\n\n# Kubewarden policy env-variable-secrets-scanner-policy\n\nThis policy will reject pods that contain a secret in an environment variable\nin any container. It scans environment variables in all containers, init\ncontainers and ephemeral containers. The policy can detect secrets that are\nleaked via base64 encoded variables. The policy looks for the following secrets\nbeing leaked: RSA private keys, SSH private keys and API tokens for different\nservices like Slack, Facebook tokens, AWS, Google, New Relic Keys, etc.\n\nThis policy is powered by the same rule engine used by [rusty\nhog](https://github.com/newrelic/rusty-hog), an open source secret scanner from\nNew Relic.\n\nThe policy can either target `Pods`, or [workload\nresources](https://kubernetes.io/docs/concepts/workloads/) (`Deployments`,\n`ReplicaSets`, `DaemonSets`, `ReplicationControllers`, `Jobs`, `CronJobs`) by\nsetting the policy's `spec.rules` accordingly.\n\nBoth have trade-offs:\n\n- Policy targets Pods: Different kind of resources (be them native or CRDs) can\n  create Pods. By having the policy target Pods, we guarantee that all the Pods\n  are going to be compliant, even those created from CRDs.\n  However, this could lead to confusion among users, as high level Kubernetes\n  resources would be successfully created, but they would stay in a non\n  reconciled state. Example: a Deployment creating a non-compliant Pod would be\n  created, but it would never have all its replicas running.\n- Policy targets workload resources (e.g: Deployment): the policy inspect higher\n  order resource (e.g. Deployment): users will get immediate feedback about\n  rejections.\n  However, non compliant pods created by another high level resource (be it\n  native to Kubernetes, or a CRD), may not get rejected.\n\n\u003e [!WARNING]  \n\u003e Some users reported\n\u003e [issues](https://github.com/kubewarden/env-variable-secrets-scanner-policy/issues/102)\n\u003e with this policy where the policy server halts its execution due to the time\n\u003e it takes to process the resources. This occurs more frequently under a high\n\u003e volume of requests or in resource-constrained environments. This happens\n\u003e because the library used by the policy to scan for secrets is not fast\n\u003e enough.\n\u003e\n\u003e To work around this issue, users can deploy this policy on a dedicated policy\n\u003e server where the execution timeout is increased or even disabled. Check our\n\u003e [documentation](https://docs.kubewarden.io/reference/policy-evaluation-timeout)\n\u003e on how to change this configuration.\n\n## Settings\n\nThis policy has no configurable settings.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkubewarden%2Fenv-variable-secrets-scanner-policy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkubewarden%2Fenv-variable-secrets-scanner-policy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkubewarden%2Fenv-variable-secrets-scanner-policy/lists"}