Verify GitHub Organization Secrets Are Not Too Old
Type: Rule
ID: github-org-old-secrets
Source: v2/rules/github/org/old-secrets.yaml
Rego Source: old-secrets.rego
Labels: GitHub, Organization
Verify secrets in the GitHub organization are not older than the specified threshold.
This rule requires Github Organization Discovery Evidence. See here for more details.
Signed Evidence for this rule IS NOT required by default but is recommended.
Rule requires evaluation with a target. Without one, it will be disabled unless the --all-evidence flag is provided.
Usage example
uses: github/org/old-secrets@v2
with:
max_secret_age: 12
Mitigation
Ensures that old secrets are removed from the GitHub organization, reducing the risk of exposure of outdated and potentially compromised secrets.
Description
This rule ensures that secrets in the GitHub organization are not older than the specified threshold. It performs the following steps:
- Checks the list of secrets in the GitHub organization.
- Verifies that no secrets are older than the value specified in the
with.max_secret_ageconfiguration.
Evidence Requirements:
- Evidence must be provided by the Scribe Platform's CLI tool through scanning GitHub organization resources.
Evidence Requirements
| Field | Value |
|---|---|
| signed | False |
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
| labels | - platform=github - asset_type=organization |
Input Definitions
| Parameter | Type | Required | Description |
|---|---|---|---|
| max_secret_age | integer | False | Maximum age of secrets in months. |