SonarSource · sebastien-andrivet-sonarsource · Nov 14, 2024 · Nov 12, 2024 · Nov 12, 2024 · Nov 12, 2024
diff --git a/rules/S7155/metadata.json b/rules/S7155/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S7155/secrets/metadata.json b/rules/S7155/secrets/metadata.json
@@ -0,0 +1,56 @@
+{
+  "title": "CircleCI secrets should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-7155",
+  "sqKey": "S7155",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222642"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
diff --git a/rules/S7155/secrets/rule.adoc b/rules/S7155/secrets/rule.adoc
@@ -0,0 +1,52 @@
+
+include::../../../shared_content/secrets/description.adoc[]
+
+If attackers gains access to a CircleCI API key, they might be able to modify projects and jobs running on the CircleCI platform.
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+=== What is the potential impact?
+
+The exact impact of the compromise of an CircleCI API key varies depending on the permissions granted to this token and of its type (personal or project token). It can range from loss of sensitive data and source code to severe supply chain attacks.
+
+Below are some real-world scenarios that illustrate some impacts of an attacker
+exploiting the secret.
+
+include::../../../shared_content/secrets/impact/source_code_compromise.adoc[]
+
+include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[]
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+:example_secret: CCIPAT_FERZRjTN451xnDCy1y9gWn_79fb6ca4d0e5f833612eee17de397a9dca0a9e9f
+:example_name: cci-api-key
+:example_env: CCI_API_KEY
+
+include::../../../shared_content/secrets/examples.adoc[]
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
+
+include::../../../shared_content/secrets/extra_mile/permissions_scope.adoc[]
+
+== Resources
+
+=== Documentation
+
+* CircleCI Docs - https://circleci.com/docs/managing-api-tokens/[Managing API Tokens]
+* CircleCI Docs - https://circleci.com/docs/api-developers-guide/[CircleCI API developer’s guide]
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+
+//=== Benchmarks