Incorrect security issue flagged by atlassian/ms-teams-notify:0.1.0 pipe

Atish Roy October 7, 2024

While using atlassian/ms-teams-notify:0.1.0, it is reporting an incorrect security issue for Uncovered a Microsoft Teams Webhook. While the webhook is being read through pipeline environment variable. 

3 answers

2 votes
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 8, 2024

Hey @Atish Roy ,

and welcome to the Community!

In order for us to investigate this further, could you kindly share the logs/errors you are receiving when running that pipe? You can either copy/paste the logs here or attach a screenshot.

This will help us to better understand the issue and provide more accurate instructions.

Thank you, @Atish Roy !

Patrik S

Atish Roy October 14, 2024

Hello @Patrik S 
Snippet of pipeline code and failure report.

image.png

image.png

0 votes
Igor Stoyanov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 15, 2024

Hi @Atish Roy .

You do not have problem with ms-teams-notify pipe.

You have generated report from git-secrets-scan pipe, in which you have the information that you exposed your WEBHOOK_URL value in previous commits.

You have a fingerprint for commit in annotation so you could check this.

Regards, Igor

Atish Roy October 15, 2024

@Igor Stoyanov shuoldn't it flag the issue based on current commit of the code base. Why is it looking for obsolete code base and flagging issue? 

Igor Stoyanov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 16, 2024

@Atish Roy  

shuoldn't it flag the issue based on current commit of the code base. -- No.

Why is it looking for obsolete code base and flagging issue?  -- Because this secret still could be accessed by the hash commit. If the tool found your secret, then anyone else also could.

If you think this is a false positive, you could use gitleaksignore to add the fingerprint there.

 

Regards, Igor

Thomas Einwaller
Contributor
December 16, 2024

I tried to add fingerprints to the `.gitleaksignore` file but that does not work

how do I have to get the fingerprints?

I tried to run gitleaks command locally in my repo, but they have a totally different style then the ones of the CodeInsights report in the pipeline

Igor Stoyanov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 17, 2024

Hi @Thomas Einwaller . Here below what worked for me when i tested this feature.

You can get fingerprint from report by clicking on the annotation:Screenshot 2024-12-17 at 11.11.24.png

And then add this fingerprint to the `.gitleaksignore` file:

6e6ff7de96fddd15482674fbe74a2c74d6c4ab90:test/test.json:aws-access-token:1

Hope it helps.
Regards, Igor

Like # people like this
0 votes
Igor Stoyanov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 11, 2024

Hi @Atish Roy . Thanks for your question.

Did you create WEBHOOK_URL Repository variable as a secured variable?

Regards, Igor


Atish Roy October 14, 2024

Yes @Igor Stoyanov 

 

Igor Stoyanov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 14, 2024

@Atish Roy 
Please provide your bitbucketpipelines.yml config and result log outputs.

Regards, Igor

Atish Roy October 14, 2024

Log data:

Unable to find image 'bitbucketpipelines/git-secrets-scan:2.0.2' locally
2.0.2: Pulling from bitbucketpipelines/git-secrets-scan
4abcf2066143: Pulling fs layer
c1963c07a115: Pulling fs layer
cfbddac15374: Pulling fs layer
6a7c18283447: Pulling fs layer
53208667e7cd: Pulling fs layer
05a64fe2113b: Pulling fs layer
75570927627d: Pulling fs layer
f220f69d8c97: Pulling fs layer
98f78dac6b8a: Pulling fs layer
f220f69d8c97: Waiting
53208667e7cd: Waiting
6a7c18283447: Waiting
98f78dac6b8a: Waiting
05a64fe2113b: Waiting
75570927627d: Waiting
cfbddac15374: Verifying Checksum
cfbddac15374: Download complete
4abcf2066143: Verifying Checksum
4abcf2066143: Download complete
c1963c07a115: Verifying Checksum
c1963c07a115: Download complete
4abcf2066143: Pull complete
c1963c07a115: Pull complete
cfbddac15374: Pull complete
6a7c18283447: Verifying Checksum
6a7c18283447: Download complete
6a7c18283447: Pull complete
05a64fe2113b: Verifying Checksum
05a64fe2113b: Download complete
f220f69d8c97: Verifying Checksum
f220f69d8c97: Download complete
75570927627d: Download complete
98f78dac6b8a: Download complete
53208667e7cd: Verifying Checksum
53208667e7cd: Download complete
53208667e7cd: Pull complete
05a64fe2113b: Pull complete
75570927627d: Pull complete
f220f69d8c97: Pull complete
98f78dac6b8a: Pull complete
Digest: sha256:4b3105aca60c83e317663cabe25926acb2da421da72bc445209cc873e2447051
Status: Downloaded newer image for bitbucketpipelines/git-secrets-scan:2.0.2
[33mWARNING: New version available: atlassian/git-secrets-scan '2.0.2' to '2.0.3' [0m
[34mINFO: Extend gitleaks command to create reports... [0m
[33mWARNING: Gitleaks detect result status code: 1,

│╲
│ ○
○ ░
░ gitleaks

[90m10:56AM [0m [32mINF [0m 50 commits scanned.
[90m10:56AM [0m [32mINF [0m scan completed in 46.8ms
[90m10:56AM [0m [31mWRN [0m leaks found: 6
[0m
[34mINFO: Generating CodeInsights reports... [0m
[31m✖ Pipe has finished with a Results Status Code: 1 [0m
Searching for files matching artifact pattern .bitbucket/pipelines/generated/pipeline/pipes/**

Searching for test report files in directories named [test-results, failsafe-reports, test-reports, TestResults, surefire-reports] down to a depth of 4
Finished scanning for test reports. Found 0 test report files.
Merged test suites, total number tests is 0, with 0 failures and 0 errors.

 


pipeline.yaml

 

pipelines:
  default:
    - parallel:
      - step:
          name: Security Scan
          script:
            # Run a security scan for sensitive data.
            - pipe: atlassian/git-secrets-scan:2.0.2
      - step:
           name: Send Notification
           script:
               - pipe: atlassian/ms-teams-notify:0.1.0
                 variables:
                   WEBHOOK_URL: $CHANNEL_WEBHOOK_URL
                   MESSAGE: 'BitBucket automated pipeline for $BITBUCKET_REPO_FULL_NAME api for  $BITBUCKET_BRANCH branch is in progress'

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
TAGS
AUG Leaders

Atlassian Community Events