4242
4343 If this is a test fixture or example:
4444 - Add comment: # nosemgrep: generic-hardcoded-secret
45- - Or use obviously fake values: password = "REPLACE_ME "
45+ - Or use obviously fake values: password = "FAKE "
4646patterns :
4747 - pattern-regex : |-
4848 (?i)(password|passwd|pwd|secret|token|api[_-]?key|private[_-]?key)\s*[:=]+\s*["'][^"']{8,}["']
7171 - Enable AWS CloudTrail for key usage monitoring
7272
7373 False Positive: If this is documentation/example, replace with:
74- AKIAIOSFODNN7EXAMPLE (official AWS example key)
74+ AKIA...EXAMPLE (redacted AWS example key)
7575pattern-regex : ' AKIA[0-9A-Z]{16}'
7676 metadata :
7777 cwe : " CWE-798"
@@ -560,20 +560,62 @@ rules:
560560 languages : [yaml]
561561 severity : WARNING
562562 message : |
563- Pod explicitly enables automountServiceAccountToken (CWE-200).
563+ Workload explicitly enables automountServiceAccountToken (CWE-200).
564564
565565 When enabled, the ServiceAccount token is mounted into the pod at
566566 /var/run/secrets/kubernetes.io/serviceaccount/token. If the pod is
567567 compromised, the attacker can use this token to access the Kubernetes API.
568568
569569 Remediation: Set automountServiceAccountToken: false if the pod doesn't
570570 need Kubernetes API access (most application pods don't).
571- patterns :
572- - pattern : |
573- automountServiceAccountToken: true
574- pattern-inside : |
575- kind: Pod
576- ...
571+ pattern-either :
572+ # Match Pod directly
573+ - patterns :
574+ - pattern : |
575+ automountServiceAccountToken: true
576+ pattern-inside : |
577+ kind: Pod
578+ ...
579+ # Match Deployment, StatefulSet, DaemonSet, ReplicaSet pod template
580+ - patterns :
581+ - pattern : |
582+ automountServiceAccountToken: true
583+ pattern-inside : |
584+ kind: $KIND
585+ ...
586+ spec:
587+ ...
588+ template:
589+ ...
590+ metavariable-regex :
591+ metavariable : $KIND
592+ regex : (Deployment|StatefulSet|DaemonSet|ReplicaSet)
593+ # Match Job pod template
594+ - patterns :
595+ - pattern : |
596+ automountServiceAccountToken: true
597+ pattern-inside : |
598+ kind: Job
599+ ...
600+ spec:
601+ ...
602+ template:
603+ ...
604+ # Match CronJob pod template (nested under jobTemplate)
605+ - patterns :
606+ - pattern : |
607+ automountServiceAccountToken: true
608+ pattern-inside : |
609+ kind: CronJob
610+ ...
611+ spec:
612+ ...
613+ jobTemplate:
614+ ...
615+ spec:
616+ ...
617+ template:
618+ ...
577619metadata :
578620 cwe : " CWE-200"
579621 category : " security"
@@ -582,7 +624,7 @@ rules:
582624 languages : [yaml]
583625 severity : WARNING
584626 message : |
585- Pod uses default ServiceAccount (CWE-250).
627+ Workload uses default ServiceAccount (CWE-250).
586628
587629 The default ServiceAccount may have more permissions than needed.
588630 Each workload should use a dedicated ServiceAccount with minimal RBAC
@@ -594,12 +636,14 @@ rules:
594636 metadata:
595637 name: my-app-sa
596638pattern-either :
639+ # Match Pod directly — explicit default
597640 - pattern : |
598641 kind: Pod
599642 ...
600643 spec:
601644 ...
602645 serviceAccountName: default
646+ # Match Pod directly — no SA specified
603647 - patterns :
604648 - pattern : |
605649 kind: Pod
@@ -608,6 +652,90 @@ rules:
608652 ...
609653pattern-not : |
610654 serviceAccountName: $SA
655+ # Match controllers — explicit default
656+ - patterns :
657+ - pattern : |
658+ spec:
659+ ...
660+ template:
661+ ...
662+ spec:
663+ ...
664+ serviceAccountName: default
665+ pattern-inside : |
666+ kind: $KIND
667+ ...
668+ metavariable-regex :
669+ metavariable : $KIND
670+ regex : (Deployment|StatefulSet|DaemonSet|ReplicaSet|Job)
671+ # Match controllers — no SA specified (implicit default)
672+ - patterns :
673+ - pattern : |
674+ spec:
675+ ...
676+ template:
677+ ...
678+ spec:
679+ ...
680+ pattern-not : |
681+ spec:
682+ ...
683+ template:
684+ ...
685+ spec:
686+ ...
687+ serviceAccountName: $SA
688+ pattern-inside : |
689+ kind: $KIND
690+ ...
691+ metavariable-regex :
692+ metavariable : $KIND
693+ regex : (Deployment|StatefulSet|DaemonSet|ReplicaSet|Job)
694+ # Match CronJob — explicit default
695+ - patterns :
696+ - pattern : |
697+ spec:
698+ ...
699+ jobTemplate:
700+ ...
701+ spec:
702+ ...
703+ template:
704+ ...
705+ spec:
706+ ...
707+ serviceAccountName: default
708+ pattern-inside : |
709+ kind: CronJob
710+ ...
711+ # Match CronJob — no SA specified (implicit default)
712+ - patterns :
713+ - pattern : |
714+ spec:
715+ ...
716+ jobTemplate:
717+ ...
718+ spec:
719+ ...
720+ template:
721+ ...
722+ spec:
723+ ...
724+ pattern-not : |
725+ spec:
726+ ...
727+ jobTemplate:
728+ ...
729+ spec:
730+ ...
731+ template:
732+ ...
733+ spec:
734+ ...
735+ serviceAccountName: $SA
736+ pattern-inside : |
737+ kind: CronJob
738+ ...
611739metadata :
612740 cwe : " CWE-250"
613741 category : " security"
@@ -645,6 +773,10 @@ rules:
645773 patterns :
646774 - pattern-not : ${{ secrets.$SECRET }}
647775 - pattern-not : ${{ env.$ENV }}
776+ paths :
777+ include :
778+ - " **/.github/workflows/*.yml"
779+ - " **/.github/workflows/*.yaml"
648780 metadata :
649781 cwe : " CWE-798"
650782 category : " security"
@@ -678,11 +810,11 @@ rules:
678810 env:
679811 TITLE: ${{ github.event.pull_request.title }}
680812patterns :
681- - pattern-regex : ' run:.* \$\{\{\s*github\.(head_ref|event\.(issue|pull_request|discussion|review|review_comment|comment)\.(title|body|head\.ref|head\.label)|event\.head_commit\.message|event\.commits\[\d+\]\.message)\s*\}\}'
813+ - pattern-regex : ' run:\s*(?:[|>][-+]?)?[\s\S]*? \$\{\{\s*github\.(head_ref|event\.(issue|pull_request|discussion|review|review_comment|comment)\.(title|body|head\.ref|head\.label)|event\.head_commit\.message|event\.commits\[\d+\]\.message)\s*\}\}'
682814 paths :
683815 include :
684- - " .github/workflows/*.yml"
685- - " .github/workflows/*.yaml"
816+ - " **/ .github/workflows/*.yml"
817+ - " **/ .github/workflows/*.yaml"
686818 metadata :
687819 cwe : " CWE-78"
688820 owasp : " A03:2021 - Injection"
@@ -716,12 +848,11 @@ rules:
716848 - If checkout is needed, use merge commit: refs/pull/${{ github.event.number }}/merge
717849 - Add persist-credentials: false to limit token scope
718850patterns :
719- - pattern-regex : ' pull_request_target'
720- - pattern-regex : ' ref:\s*\$\{\{.*pull_request\.head\.(sha|ref)\s*\}\}'
851+ - pattern-regex : ' pull_request_target[\s\S]*?uses:\s*actions/checkout@[^\n]*\n(\s+\w+:.*\n)*\s+ref:\s*\$\{\{[^\}]*pull_request\.head\.(sha|ref)\s*\}\}'
721852 paths :
722853 include :
723- - " .github/workflows/*.yml"
724- - " .github/workflows/*.yaml"
854+ - " **/ .github/workflows/*.yml"
855+ - " **/ .github/workflows/*.yaml"
725856 metadata :
726857 cwe : " CWE-829"
727858 category : " security"
@@ -920,13 +1051,25 @@ rules:
9201051patterns :
9211052 - pattern-either :
9221053 - pattern : |
923- const $VAR = "password"
1054+ $VAR := $VALUE
9241055pattern : |
925- const $VAR = "secret"
1056+ const $VAR = $VALUE
9261057pattern : |
927- const $VAR = "token"
928- pattern : |
929- var $VAR = "Bearer ..."
1058+ var $VAR = $VALUE
1059+ metavariable-regex :
1060+ metavariable : $VAR
1061+ regex : (?i)(password|passwd|secret|token|api[_-]?key|private[_-]?key|credentials?)
1062+ - metavariable-regex :
1063+ metavariable : $VALUE
1064+ regex : ' "[^"]{8,}"'
1065+ - pattern-not : |
1066+ $VAR := os.Getenv("...")
1067+ pattern-not : |
1068+ var $VAR = os.Getenv("...")
1069+ pattern-not : |
1070+ const $VAR = os.Getenv("...")
1071+ pattern-not : |
1072+ $VAR, $_ := os.LookupEnv("...")
9301073metadata :
9311074 cwe : " CWE-798"
9321075 owasp : " A07:2021"
0 commit comments