remove exluded_envs

Signed-off-by: Nikita Pivkin <[email protected]>
aquasecurity · Oct 9, 2024 · 7fc2985 · 7fc2985
1 parent 6d50121
commit 7fc2985
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 10 deletions.
diff --git a/checks/docker/leaked_secrets.rego b/checks/docker/leaked_secrets.rego
@@ -98,14 +98,12 @@ default_envs := {
  "HF_TOKEN", # https://huggingface.co/docs/huggingface_hub/en/package_reference/environment_variables#hftoken
 }
 
-excluded_envs := set()
-
 included_envs := included if {
  is_array(ds031.included_envs)
  included := {e | some e in ds031.included_envs}
 } else := set()
 
-envs := (default_envs - excluded_envs) | included_envs
+envs := default_envs | included_envs
 
 is_secret_env(str) if str in envs
 

diff --git a/checks/docker/leaked_secrets_test.rego b/checks/docker/leaked_secrets_test.rego
@@ -24,15 +24,9 @@ test_deny_secret_arg if {
  count(res) = 1
 }
 
-test_allow_secret_github_env_but_this_env_excluded if {
- inp := build_simple_input("env", ["GITHUB_TOKEN"])
- res := check.deny with input as inp with check.excluded_envs as {"GITHUB_TOKEN"}
- count(res) = 0
-}
-
 test_deny_custom_secret_env if {
  inp := build_simple_input("env", ["MY_SECRET"])
- res := check.deny with input as inp with data.ds031.included_envs as {"MY_SECRET"}
+ res := check.deny with input as inp with data.ds031.included_envs as ["MY_SECRET"]
  count(res) = 1
 }