While using atlassian/ms-teams-notify:0.1.0, it is reporting an incorrect security issue for Uncovered a Microsoft Teams Webhook. While the webhook is being read through pipeline environment variable.
Hey @Atish Roy ,
and welcome to the Community!
In order for us to investigate this further, could you kindly share the logs/errors you are receiving when running that pipe? You can either copy/paste the logs here or attach a screenshot.
This will help us to better understand the issue and provide more accurate instructions.
Thank you, @Atish Roy !
Patrik S
Hi @Atish Roy .
You do not have problem with ms-teams-notify pipe.
You have generated report from git-secrets-scan pipe, in which you have the information that you exposed your WEBHOOK_URL value in previous commits.
You have a fingerprint for commit in annotation so you could check this.
Regards, Igor
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Igor Stoyanov shuoldn't it flag the issue based on current commit of the code base. Why is it looking for obsolete code base and flagging issue?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Atish Roy
shuoldn't it flag the issue based on current commit of the code base. -- No.
Why is it looking for obsolete code base and flagging issue? -- Because this secret still could be accessed by the hash commit. If the tool found your secret, then anyone else also could.
If you think this is a false positive, you could use gitleaksignore to add the fingerprint there.
Regards, Igor
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I tried to add fingerprints to the `.gitleaksignore` file but that does not work
how do I have to get the fingerprints?
I tried to run gitleaks command locally in my repo, but they have a totally different style then the ones of the CodeInsights report in the pipeline
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Thomas Einwaller . Here below what worked for me when i tested this feature.
You can get fingerprint from report by clicking on the annotation:
And then add this fingerprint to the `.gitleaksignore` file:
6e6ff7de96fddd15482674fbe74a2c74d6c4ab90:test/test.json:aws-access-token:1
Hope it helps.
Regards, Igor
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Atish Roy . Thanks for your question.
Did you create WEBHOOK_URL Repository variable as a secured variable?
Regards, Igor
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Atish Roy
Please provide your bitbucketpipelines.yml config and result log outputs.
Regards, Igor
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Log data:
Unable to find image 'bitbucketpipelines/git-secrets-scan:2.0.2' locally
2.0.2: Pulling from bitbucketpipelines/git-secrets-scan
4abcf2066143: Pulling fs layer
c1963c07a115: Pulling fs layer
cfbddac15374: Pulling fs layer
6a7c18283447: Pulling fs layer
53208667e7cd: Pulling fs layer
05a64fe2113b: Pulling fs layer
75570927627d: Pulling fs layer
f220f69d8c97: Pulling fs layer
98f78dac6b8a: Pulling fs layer
f220f69d8c97: Waiting
53208667e7cd: Waiting
6a7c18283447: Waiting
98f78dac6b8a: Waiting
05a64fe2113b: Waiting
75570927627d: Waiting
cfbddac15374: Verifying Checksum
cfbddac15374: Download complete
4abcf2066143: Verifying Checksum
4abcf2066143: Download complete
c1963c07a115: Verifying Checksum
c1963c07a115: Download complete
4abcf2066143: Pull complete
c1963c07a115: Pull complete
cfbddac15374: Pull complete
6a7c18283447: Verifying Checksum
6a7c18283447: Download complete
6a7c18283447: Pull complete
05a64fe2113b: Verifying Checksum
05a64fe2113b: Download complete
f220f69d8c97: Verifying Checksum
f220f69d8c97: Download complete
75570927627d: Download complete
98f78dac6b8a: Download complete
53208667e7cd: Verifying Checksum
53208667e7cd: Download complete
53208667e7cd: Pull complete
05a64fe2113b: Pull complete
75570927627d: Pull complete
f220f69d8c97: Pull complete
98f78dac6b8a: Pull complete
Digest: sha256:4b3105aca60c83e317663cabe25926acb2da421da72bc445209cc873e2447051
Status: Downloaded newer image for bitbucketpipelines/git-secrets-scan:2.0.2
[33mWARNING: New version available: atlassian/git-secrets-scan '2.0.2' to '2.0.3' [0m
[34mINFO: Extend gitleaks command to create reports... [0m
[33mWARNING: Gitleaks detect result status code: 1,
○
│╲
│ ○
○ ░
░ gitleaks
[90m10:56AM [0m [32mINF [0m 50 commits scanned.
[90m10:56AM [0m [32mINF [0m scan completed in 46.8ms
[90m10:56AM [0m [31mWRN [0m leaks found: 6
[0m
[34mINFO: Generating CodeInsights reports... [0m
[31m✖ Pipe has finished with a Results Status Code: 1 [0m
Searching for files matching artifact pattern .bitbucket/pipelines/generated/pipeline/pipes/**
Searching for test report files in directories named [test-results, failsafe-reports, test-reports, TestResults, surefire-reports] down to a depth of 4
Finished scanning for test reports. Found 0 test report files.
Merged test suites, total number tests is 0, with 0 failures and 0 errors.
pipeline.yaml
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.