88 lines
3.4 KiB
YAML
88 lines
3.4 KiB
YAML
# Secret Leak Detection Policy Pack
|
|
# Sprint: SPRINT_20260104_004_POLICY - Task PSD-010
|
|
#
|
|
# This policy pack enforces security gates based on secret leak detection findings.
|
|
# Uses signals from SecretSignalBinder for policy evaluation.
|
|
#
|
|
# Available signals:
|
|
# secret.has_finding - true if any secret finding exists
|
|
# secret.count - total number of findings
|
|
# secret.severity.critical - true if any critical finding exists
|
|
# secret.severity.high - true if any high severity finding exists
|
|
# secret.severity.medium - true if any medium severity finding exists
|
|
# secret.severity.low - true if any low severity finding exists
|
|
# secret.confidence.high - true if any high confidence finding exists
|
|
# secret.confidence.medium - true if any medium confidence finding exists
|
|
# secret.confidence.low - true if any low confidence finding exists
|
|
# secret.mask.applied - true if masking was applied to all findings
|
|
# secret.bundle.version - the active bundle version string
|
|
# secret.bundle.id - the active bundle ID
|
|
|
|
name: secret-detection-gates
|
|
version: 1.0.0
|
|
description: |
|
|
Security gates for secret leak detection.
|
|
Blocks deployments when critical or high-severity secrets are detected.
|
|
|
|
rules:
|
|
# Block on any critical severity secret (private keys, service account keys, etc.)
|
|
- id: block-critical-secrets
|
|
description: Block deployment when critical secrets are detected
|
|
severity: critical
|
|
when:
|
|
signal: secret.severity.critical
|
|
equals: true
|
|
deny_message: |
|
|
CRITICAL: Secrets with critical severity detected.
|
|
Review findings and rotate any exposed credentials before proceeding.
|
|
Common causes: Private keys, GCP service account keys, Stripe secret keys.
|
|
|
|
# Block on high severity secrets with high confidence (real credentials)
|
|
- id: block-high-confidence-secrets
|
|
description: Block deployment when high-confidence high-severity secrets are detected
|
|
severity: high
|
|
when:
|
|
all:
|
|
- signal: secret.severity.high
|
|
equals: true
|
|
- signal: secret.confidence.high
|
|
equals: true
|
|
deny_message: |
|
|
HIGH: High-confidence secrets detected with high severity.
|
|
These are likely real credentials. Review and remediate before deployment.
|
|
|
|
# Warn on medium severity secrets (potential API keys, passwords)
|
|
- id: warn-medium-secrets
|
|
description: Warn when medium-severity secrets are detected
|
|
severity: medium
|
|
when:
|
|
signal: secret.severity.medium
|
|
equals: true
|
|
warn_message: |
|
|
WARNING: Medium-severity secrets detected.
|
|
Review findings to confirm they are not false positives.
|
|
Consider adding legitimate patterns to the exception list.
|
|
|
|
# Warn when any secrets are found (informational)
|
|
- id: info-any-secrets
|
|
description: Log when any secrets are detected
|
|
severity: low
|
|
when:
|
|
signal: secret.has_finding
|
|
equals: true
|
|
info_message: |
|
|
Secret detection found {{secret.count}} potential secret(s).
|
|
Review the findings in the scan results.
|
|
|
|
# Ensure masking is applied before allowing export
|
|
- id: require-masking
|
|
description: Block export if masking was not applied
|
|
severity: high
|
|
context: export
|
|
when:
|
|
signal: secret.mask.applied
|
|
equals: false
|
|
deny_message: |
|
|
BLOCKED: Secrets must be masked before export.
|
|
Ensure revelation policy is not set to FullReveal for exports.
|