Skip to content

Commit

Permalink
Add exclusion patterns for curl-unecrypted-url
Browse files Browse the repository at this point in the history 
curl-unecrypted-url produces a lot of false positives on repositories
with lots of cloud infrastructure code for AWS or GCP. These providers
use link local URLs via HTTP without TLS. This is equivalent to
localhost patterns.
  • Loading branch information
@fruechel-canva
fruechel-canva committed Dec 13, 2024
1 parent 71b9ec1 commit a4dadd0
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 1 deletion.
8 changes: 7 additions & 1 deletion generic/curl-unencrypted-url.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,4 +13,10 @@ curl https://google.com > /dev/null
curl http://localhost > /dev/null

# ok: curl-unencrypted-url
curl http://127.0.0.1 > /dev/null
curl http://127.0.0.1 > /dev/null

# ok: curl-unencrypted-url
curl http://169.254.169.254 > /dev/null

# ok: curl-unencrypted-url
curl http://metadata.google.internal > /dev/null
2 changes: 2 additions & 0 deletions generic/curl-unencrypted-url.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,5 @@ rules:
- pattern: curl ... ftp://
- pattern-not-inside: curl ... http://127.0.0.1
- pattern-not-inside: curl ... http://localhost
- pattern-not-inside: curl ... http://169.254.169.254
- pattern-not-inside: curl ... http://metadata.google.internal

0 comments on commit a4dadd0

Please sign in to comment.