Securing Non-Human Identities in Automated Systems

Implementing robust authentication and authorization for service accounts and tokens in automated workflows.

0 likes
186 views

Rule Content

# Title: Securing Non-Human Identities in Automated Systems
# Description: Implementing robust authentication and authorization for service accounts and tokens in automated workflows.
# Category: Security
# Category Context: Flags unsafe code, secrets, and insecure configurations.

version: 1.0
rules:
  - name: "Service Account Security"
    description: "Ensure service accounts are configured with minimal privileges and proper authentication mechanisms."
    pattern: "src/**/*.ts"
    template: |
      // Service Account Configuration
      const serviceAccount = {
        // Assign only necessary permissions
        permissions: ['read', 'write'], // Adjust as needed
        // Use secure authentication methods
        authentication: {
          method: 'OAuth2', // or 'JWT', 'API Key', etc.
          credentials: {
            clientId: process.env.CLIENT_ID,
            clientSecret: process.env.CLIENT_SECRET,
          },
        },
      };
  - name: "Token Management"
    description: "Implement secure handling and storage of tokens in automated workflows."
    pattern: "src/**/*.ts"
    template: |
      // Token Handling
      const token = {
        // Store tokens securely
        storage: 'environmentVariable', // or 'secureVault', 'encryptedStorage', etc.
        // Implement token rotation
        rotation: {
          enabled: true,
          interval: '30d', // Adjust as needed
        },
        // Validate token scopes
        validation: {
          requiredScopes: ['read', 'write'], // Adjust as needed
        },
      };
  - name: "Secrets Management"
    description: "Ensure secrets are not hardcoded and are managed securely."
    pattern: "src/**/*.ts"
    template: |
      // Secrets Management
      const secrets = {
        // Retrieve secrets from secure storage
        databasePassword: process.env.DB_PASSWORD,
        apiKey: process.env.API_KEY,
        // Ensure secrets are not hardcoded
        // Avoid: const apiKey = 'hardcoded_api_key';
      };
  - name: "Logging and Monitoring"
    description: "Implement logging and monitoring for service account activities."
    pattern: "src/**/*.ts"
    template: |
      // Logging and Monitoring
      const logger = {
        // Log service account activities
        logLevel: 'info', // or 'debug', 'warn', 'error'
        // Monitor for unauthorized access
        monitoring: {
          enabled: true,
          alertThreshold: 5, // Adjust as needed
        },
      };
  - name: "Error Handling"
    description: "Implement proper error handling for authentication and authorization failures."
    pattern: "src/**/*.ts"
    template: |
      // Error Handling
      try {
        // Authentication and authorization logic
      } catch (error) {
        if (error instanceof AuthenticationError) {
          // Handle authentication errors
          logger.error('Authentication failed', { error });
        } else if (error instanceof AuthorizationError) {
          // Handle authorization errors
          logger.error('Authorization failed', { error });
        } else {
          // Handle other errors
          logger.error('An unexpected error occurred', { error });
        }
        throw error;
      }

Categories

Security

Tags

#identity security #automation #access control