Class: Rules::StaticAwsCredentials

Inherits:
Base
  • Object
show all
Defined in:
lib/rules/static_aws_credentials.rb

Instance Method Summary collapse

Instance Method Details

#check(workflow) ⇒ Object 



7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
# File 'lib/rules/static_aws_credentials.rb', line 7

def check(workflow)
  findings = []

  workflow.jobs.each do |_job_id, job|
    workflow.steps(job).each do |step|
      next unless step["uses"]&.include?("configure-aws-credentials")

      with = step["with"] || {}
      has_static = with.key?("aws-access-key-id")
      has_oidc = with.key?("role-to-assume")

      if has_static && !has_oidc
        line = workflow.line_of(/aws-access-key-id/)
        findings << finding(workflow,
          line: line || 0,
          code: "aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}",
          message: "Static AWS access keys — long-lived credentials that don't auto-expire",
          fix: "Use OIDC federation: role-to-assume with id-token: write permission"
        )
      end
    end
  end

  findings
end

#descriptionObject 



4
 
# File 'lib/rules/static_aws_credentials.rb', line 4

def description = "AWS credentials using static keys instead of OIDC"

#nameObject 



3
 
# File 'lib/rules/static_aws_credentials.rb', line 3

def name = "static-aws-credentials"

#severityObject 



5
 
# File 'lib/rules/static_aws_credentials.rb', line 5

def severity = :high