Class: Rules::StaticAwsCredentials

Inherits:
Base
  • Object
show all
Defined in:
lib/rules/static_aws_credentials.rb

Instance Method Summary collapse

Instance Method Details

#check(workflow) ⇒ Object 



7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
# File 'lib/rules/static_aws_credentials.rb', line 7

def check(workflow)
    findings = []

    workflow.jobs.each do |_job_id, job|
        workflow.steps(job).each do |step|
            next unless step["uses"]&.include?("configure-aws-credentials")

            with = step["with"] || {}
            has_static = with.key?("aws-access-key-id")
            has_oidc = with.key?("role-to-assume")

            if has_static && !has_oidc
                line = workflow.line_of(/aws-access-key-id/)
                findings << finding(workflow,
                    line: line || 0,
                    code: "aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}",
                    message: "Static AWS access keys — long-lived credentials that don't auto-expire",
                    fix: "Use OIDC federation: role-to-assume with id-token: write permission"
                )
            end
        end
    end

    findings
end

#descriptionObject 



4
 
# File 'lib/rules/static_aws_credentials.rb', line 4

def description = "AWS credentials using static keys instead of OIDC"

#nameObject 



3
 
# File 'lib/rules/static_aws_credentials.rb', line 3

def name = "static-aws-credentials"

#severityObject 



5
 
# File 'lib/rules/static_aws_credentials.rb', line 5

def severity = :high