Skip to content

chore: sync security config files #1211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dbasunag merged 5 commits into from
Mar 13, 2026
Merged

chore: sync security config files #1211

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7a4e70c
chore: sync semgrep.yaml from security-config
security-config-sync[bot] Mar 12, 2026
3bdfe9c
chore: sync .gitleaks.toml from security-config
security-config-sync[bot] Mar 12, 2026
fb737b1
chore: sync semgrep.yaml from security-config
security-config-sync[bot] Mar 12, 2026
a385efd
Merge branch 'main' into security/sync-configs
dbasunag Mar 13, 2026
dd02a8c
Merge branch 'main' into security/sync-configs
dbasunag Mar 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions .gitleaks.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,16 @@
[allowlist]
description = "Exclude test fixtures, mock data, sample configs, and CI resources"
paths = [
# Go test files (commonly contain mock credentials)
'''.*_test\.go$''',

# JS/TS test files (.spec.ts, .test.tsx, etc.)
'''.*\.spec\.(ts|tsx|js|jsx)$''',
'''.*\.test\.(ts|tsx|js|jsx)$''',

# JS/TS test directories
'''__tests__/''',

# Go testdata directories
'''testdata/''',

Expand Down
157 changes: 142 additions & 15 deletions semgrep.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -560,20 +560,62 @@ rules:
languages: [yaml]
severity: WARNING
message: |
Pod explicitly enables automountServiceAccountToken (CWE-200).
Workload explicitly enables automountServiceAccountToken (CWE-200).

When enabled, the ServiceAccount token is mounted into the pod at
/var/run/secrets/kubernetes.io/serviceaccount/token. If the pod is
compromised, the attacker can use this token to access the Kubernetes API.

Remediation: Set automountServiceAccountToken: false if the pod doesn't
need Kubernetes API access (most application pods don't).
patterns:
- pattern: |
automountServiceAccountToken: true
- pattern-inside: |
kind: Pod
...
pattern-either:
# Match Pod directly
- patterns:
- pattern: |
automountServiceAccountToken: true
- pattern-inside: |
kind: Pod
...
# Match Deployment, StatefulSet, DaemonSet, ReplicaSet pod template
- patterns:
- pattern: |
automountServiceAccountToken: true
- pattern-inside: |
kind: $KIND
...
spec:
...
template:
...
- metavariable-regex:
metavariable: $KIND
regex: (Deployment|StatefulSet|DaemonSet|ReplicaSet)
# Match Job pod template
- patterns:
- pattern: |
automountServiceAccountToken: true
- pattern-inside: |
kind: Job
...
spec:
...
template:
...
# Match CronJob pod template (nested under jobTemplate)
- patterns:
- pattern: |
automountServiceAccountToken: true
- pattern-inside: |
kind: CronJob
...
spec:
...
jobTemplate:
...
spec:
...
template:
...
metadata:
cwe: "CWE-200"
category: "security"
Expand All @@ -582,7 +624,7 @@ rules:
languages: [yaml]
severity: WARNING
message: |
Pod uses default ServiceAccount (CWE-250).
Workload uses default ServiceAccount (CWE-250).

The default ServiceAccount may have more permissions than needed.
Each workload should use a dedicated ServiceAccount with minimal RBAC
Expand All @@ -594,12 +636,14 @@ rules:
metadata:
name: my-app-sa
pattern-either:
# Match Pod directly — explicit default
- pattern: |
kind: Pod
...
spec:
...
serviceAccountName: default
# Match Pod directly — no SA specified
- patterns:
- pattern: |
kind: Pod
Expand All @@ -608,6 +652,90 @@ rules:
...
- pattern-not: |
serviceAccountName: $SA
# Match controllers — explicit default
- patterns:
- pattern: |
spec:
...
template:
...
spec:
...
serviceAccountName: default
- pattern-inside: |
kind: $KIND
...
- metavariable-regex:
metavariable: $KIND
regex: (Deployment|StatefulSet|DaemonSet|ReplicaSet|Job)
# Match controllers — no SA specified (implicit default)
- patterns:
- pattern: |
spec:
...
template:
...
spec:
...
- pattern-not: |
spec:
...
template:
...
spec:
...
serviceAccountName: $SA
- pattern-inside: |
kind: $KIND
...
- metavariable-regex:
metavariable: $KIND
regex: (Deployment|StatefulSet|DaemonSet|ReplicaSet|Job)
# Match CronJob — explicit default
- patterns:
- pattern: |
spec:
...
jobTemplate:
...
spec:
...
template:
...
spec:
...
serviceAccountName: default
- pattern-inside: |
kind: CronJob
...
# Match CronJob — no SA specified (implicit default)
- patterns:
- pattern: |
spec:
...
jobTemplate:
...
spec:
...
template:
...
spec:
...
- pattern-not: |
spec:
...
jobTemplate:
...
spec:
...
template:
...
spec:
...
serviceAccountName: $SA
- pattern-inside: |
kind: CronJob
...
metadata:
cwe: "CWE-250"
category: "security"
Expand Down Expand Up @@ -678,11 +806,11 @@ rules:
env:
TITLE: ${{ github.event.pull_request.title }}
patterns:
- pattern-regex: 'run:.*\$\{\{\s*github\.(head_ref|event\.(issue|pull_request|discussion|review|review_comment|comment)\.(title|body|head\.ref|head\.label)|event\.head_commit\.message|event\.commits\[\d+\]\.message)\s*\}\}'
- pattern-regex: 'run:\s*(?:[|>][-+]?)?[\s\S]*?\$\{\{\s*github\.(head_ref|event\.(issue|pull_request|discussion|review|review_comment|comment)\.(title|body|head\.ref|head\.label)|event\.head_commit\.message|event\.commits\[\d+\]\.message)\s*\}\}'
paths:
include:
- ".github/workflows/*.yml"
- ".github/workflows/*.yaml"
- "**/.github/workflows/*.yml"
- "**/.github/workflows/*.yaml"
metadata:
cwe: "CWE-78"
owasp: "A03:2021 - Injection"
Expand Down Expand Up @@ -716,12 +844,11 @@ rules:
- If checkout is needed, use merge commit: refs/pull/${{ github.event.number }}/merge
- Add persist-credentials: false to limit token scope
patterns:
- pattern-regex: 'pull_request_target'
- pattern-regex: 'ref:\s*\$\{\{.*pull_request\.head\.(sha|ref)\s*\}\}'
- pattern-regex: 'pull_request_target[\s\S]*?uses:\s*actions/checkout@[^\n]*\n(\s+\w+:.*\n)*\s+ref:\s*\$\{\{[^\}]*pull_request\.head\.(sha|ref)\s*\}\}'
paths:
include:
- ".github/workflows/*.yml"
- ".github/workflows/*.yaml"
- "**/.github/workflows/*.yml"
- "**/.github/workflows/*.yaml"
metadata:
cwe: "CWE-829"
category: "security"
Expand Down