Add exclusion patterns for curl-unecrypted-url

fruechel-canva · mschwager · commit 811a9b53fb87 · 2025-01-06T05:49:12.000-07:00
curl-unecrypted-url produces a lot of false positives on repositories
with lots of cloud infrastructure code for AWS or GCP. These providers
use link local URLs via HTTP without TLS. This is equivalent to
localhost patterns.
diff --git a/generic/curl-unencrypted-url.sh b/generic/curl-unencrypted-url.sh
@@ -13,4 +13,10 @@ curl https://google.com > /dev/null
 curl http://localhost > /dev/null
 
 # ok: curl-unencrypted-url
-curl http://127.0.0.1 > /dev/null
+curl http://127.0.0.1 > /dev/null
+
+# ok: curl-unencrypted-url
+curl http://169.254.169.254 > /dev/null
+
+# ok: curl-unencrypted-url
+curl http://metadata.google.internal > /dev/null
diff --git a/generic/curl-unencrypted-url.yaml b/generic/curl-unencrypted-url.yaml
@@ -19,3 +19,5 @@ rules:
           - pattern: curl ... ftp://
       - pattern-not-inside: curl ... http://127.0.0.1
       - pattern-not-inside: curl ... http://localhost
+      - pattern-not-inside: curl ... http://169.254.169.254
+      - pattern-not-inside: curl ... http://metadata.google.internal
