Checkmarx · cx-andre-pereira · Mar 25, 2026 · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026
@@ -0,0 +1,12 @@
+# Generic Negative Test - no secrets (k8s)
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+  labels:
+    env: test
+spec:
+  containers:
+    - name: nginx
+      image: nginx
+      # trigger validation
@@ -1,4 +1,4 @@
-#k8s test
+# Generic Negative Test - no secrets (k8s)
 apiVersion: v1
 kind: Pod
 metadata:

@@ -1,3 +1,4 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding TF variables" allow-rule-test
 resource "aws_db_instance" "default" {
   name                   = var.dbname
   engine                 = "mysql"
@@ -10,7 +11,7 @@ resource "aws_db_instance" "default" {
   instance_class          = "db.t3.micro"
   allocated_storage       = "20"
   username                = "admin"
-  password                = var.password
+  password                = var.password  # negative1
   apply_immediately       = true
   multi_az                = false
   backup_retention_period = 0

@@ -1,9 +1,10 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding TF variables" allow-rule-test
 resource "auth0_connection" "google_oauth2" {
   name = "Google-OAuth2-Connection"
   strategy = "google-oauth2"
   options {
     client_id     = var.google_client_id
-    client_secret = var.google_client_secret
+    client_secret = var.google_client_secret  # negative1
     allowed_audiences = [ "example.com", "api.example.com" ]
     scopes = [ "email", "profile", "gmail", "youtube" ]
     set_user_root_attributes = "on_each_login"

@@ -1,3 +1,4 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding TF variables"  allow-rule-test
 provider "slack" {
-  token = var.slack_token
+  token = var.slack_token # negative1
 }
@@ -1,3 +1,4 @@
+# "Generic API Key" - 74736dd1-dd11-4139-beb6-41cd43a50317  negative-test ('.' char is illegal in key definition, incorrect key length (17 is not in {32,45}))
 provider "stripe" {
   api_key = var.strip_api_key
 }
@@ -1,3 +1,4 @@
+# Generic Negative Test - several keywords used in safe contexts ("password","api_key","secret_key")
 resource "aws_ecs_task_definition" "webapp" {
   family        = "tomato-webapp"
   task_role_arn = data.aws_iam_role.ecs_task_role.arn

@@ -1,3 +1,4 @@
+# "Generic API Key" - 74736dd1-dd11-4139-beb6-41cd43a50317  negative-test ('.' char is illegal in key definition, incorrect key length (18 is not in {32,45}))
 provider "heroku" {
   email   = "ops@company.com"
   api_key = var.heroku_api_key

@@ -1,3 +1,4 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding TF variables"  allow-rule-test
 provider "github" {
-  token = var.github_key
+  token = var.github_key  # negative1
 }
@@ -1,3 +1,4 @@
+# "Generic API Key" - 74736dd1-dd11-4139-beb6-41cd43a50317  negative-test ('.' char is illegal in key definition, incorrect key length (11 is not in {32,45}))
 provider "cloudflare" {
   version = "~> 2.0"
   email   = "var.cloudflare_email"

@@ -1,3 +1,4 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding CloudFormation intrinsic functions"  allow-rule-test
 Parameters:
   PrivateKey1:
     Type: String
@@ -9,4 +10,4 @@ Resources:
   PinpointAPNSChannel:
     Type: AWS::Pinpoint::APNSChannel
     Properties:
-      PrivateKey: !GetAtt PrivateKey1
+      PrivateKey: !GetAtt PrivateKey1 # negative1
@@ -1,11 +1,12 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding CloudFormation intrinsic functions"  allow-rule-test
 Parameters:
   PinpointAPNSVoipChannelTokenKey:
     Type: String
 Resources:
   ElastiCacheReplicationGroup:
     Type: AWS::ElastiCache::ReplicationGroup
     Properties:
-      AuthToken: !Ref PinpointAPNSVoipChannelTokenKey
+      AuthToken: !Ref PinpointAPNSVoipChannelTokenKey # negative1
       CacheNodeType: cache.m5.large
       CacheSubnetGroupName: subnet-foobar
       Engine: redis
@@ -22,5 +23,5 @@ Resources:
   PinpointAPNSChannel:
     Type: AWS::Pinpoint::APNSChannel
     Properties:
-      TokenKey: !Ref PinpointAPNSVoipChannelTokenKey
+      TokenKey: !Ref PinpointAPNSVoipChannelTokenKey # negative2
       ApplicationId: !Ref PinpointApp
@@ -1,9 +1,9 @@
-#cloud formation test
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding CloudFormation intrinsic functions"  allow-rule-test
 Resources:
   RDSCluster:
     Type: "AWS::RDS::DBCluster"
     Properties:
-      MasterUserPassword: !Ref PasswordMaster
+      MasterUserPassword: !Ref PasswordMaster  # negative1
       DBClusterIdentifier: my-serverless-cluster
       Engine: aurora
       EngineVersion: 5.6.10a

@@ -1,3 +1,4 @@
+# Generic Negative Test - no secrets
 - name: Start a workflow in the Itential Automation Platform
   community.network.iap_start_workflow:
     iap_port: 3000

@@ -1,3 +1,4 @@
+# "Generic API Key" - 74736dd1-dd11-4139-beb6-41cd43a50317  negative-test ('.' char is illegal in key definition, incorrect key length (19 is not in {32,45}))
 provider "mailgun" {
   api_key = "var.mailgun_api_key"
 }
@@ -1,3 +1,4 @@
+# "Generic API Key" - 74736dd1-dd11-4139-beb6-41cd43a50317  negative-test ('.' char is illegal in key definition, incorrect key length (28 is not in {32,45}))
 provider "stripe" {
   api_key = var.strip_restricted_api_key
 }
@@ -1,3 +1,4 @@
+# "Twilio API Key" - e0f01838-b1c2-4669-b84b-981949ebe5ed  negative-test (is not a hardcoded key)
 - hosts: all
   remote_user: root
   vars:

@@ -1,3 +1,4 @@
+# "PayPal Braintree Access Token" - 4919b847-e3da-402a-acf8-6cea8e529993  negative-test (is not a hardcoded token)
 - hosts: all
   remote_user: root
   vars:

@@ -1,3 +1,4 @@
+# Generic Negative Test - no secrets
 apiVersion: v1
 kind: Pod
 metadata:

@@ -1,3 +1,4 @@
+# "Google OAuth Access Token" - 41a1ca8d-f466-4084-a8c9-50f8b22200d5  negative-test (is not a hardcoded token)
 apiVersion: v1
 kind: Config
 users:
@@ -10,7 +11,7 @@ users:
   user:
     auth-provider:
       config:
-        access-token: '{.credential.oauth_access_token_}'
+        access-token: '{.credential.oauth_access_token_}' # negative1
         cmd-args: config config-helper --format=json
         cmd-path: /Users/dave/google-cloud-sdk/bin/gcloud
         expiry: 2021-10-28T15:12:03.000Z

@@ -1,3 +1,4 @@
+# Generic Negative Test - no secrets
 resource "aws_lambda_function" "analysis_lambda4" {
   # lambda have plain text secrets in environment variables
   filename      = "resources/lambda_function_payload.zip"

@@ -1,4 +1,87 @@
-provider rancher2 {
-  api_url   = data.terraform_remote_state.rancher.outputs.api_url
-  token_key = data.terraform_remote_state.rancher.outputs.token_key
+# "Generic Token"   - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding TF resource access"  allow-rule-test - #1
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding TF variables"        allow-rule-test - #2
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding array access"        allow-rule-test - #3
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
 }
+
+provider "aws" {
+  region = "us-east-1"
+}
+
+variable "auth_token" {
+  description = "Authentication token"
+  type        = string
+  sensitive   = true
+}
+
+variable "enabled" {
+  description = "Whether to enable resources"
+  type        = bool
+  default     = true
+}
+
+resource "aws_secretsmanager_secret_version" "token_version" {
+  for_each = { for k, v in var.clients.oauth : k => v if var.enabled }
+
+  secret_id     = aws_secretsmanager_secret.client_token_secret[each.key].id
+  secret_string = jsonencode({ "client" : each.key, "token" : random_password.client_token[each.key].result })  #1
+}
+
+resource "aws_secretsmanager_secret_version" "token_version_2" {
+  for_each = { for k, v in var.clients.oauth : k => v if var.enabled }
+
+  secret_id     = aws_secretsmanager_secret.client_token_secret[each.key].id
+  secret_string = jsonencode({ "client" : each.key, "token" : random_password[each.key].client_token.result }) #1
+}
+
+resource "aws_secretsmanager_secret_version" "token_version_3" {
+  for_each = { for k, v in var.clients.oauth : k => v if var.enabled }
+
+  secret_id     = aws_secretsmanager_secret.client_token_secret[each.key].id                                   #3
+  secret_string = jsonencode({ "client" : each.key, "token" : random_password["index"].client_token.result })
+}
+
+resource "aws_lb_listener" "https_null" {
+  count             = var.enabled ? 1 : 0
+  load_balancer_arn = aws_lb.main[0].arn
+  port              = 443
+  protocol          = "HTTPS"
+
+  default_action {
+    type      = "fixed-response"
+    token_key = null  #1
+  }
+}
+module "auth_service" {
+  source = "./modules/auth"
+
+  token = var.auth_token  #2
+}
+module "api_gateway" {
+  source = "./modules/gateway"
+
+  token = module.auth_service.token_output.value  #1
+}
+module "legacy_service" {
+  source = "./modules/legacy"
+
+  token = data.aws_secretsmanager_secret_version.existing_token.secret_string  #1
+}
+
+locals {
+  token_config = {
+    value = aws_secretsmanager_secret.client_token_secret["primary"].arn
+  }
+}
+
+module "monitoring" {
+  source = "./modules/monitoring"
+
+  token = local.token_config.value  #1
+}
@@ -1,3 +1,4 @@
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding Github id-token Default Values"  allow-rule-test
 name: Example Workflow
 
 on: workflow_call
@@ -7,7 +8,7 @@ jobs:
     permissions:
       contents: read
       pages: write
-      id-token: write
+      id-token: write # negative1
 
     runs-on: ubuntu
 
@@ -25,7 +26,7 @@ jobs:
     permissions:
       contents: read
       pages: write
-      id-token: read
+      id-token: read # negative2
 
     runs-on: ubuntu
 
@@ -43,7 +44,7 @@ jobs:
     permissions:
       contents: read
       pages: write
-      id-token: none
+      id-token: none # negative3
 
     runs-on: ubuntu
 

@@ -1,4 +1,4 @@
-#ansible test
+# Generic Negative Test - no secrets (ansible)
 - name: create a cluster
   google.cloud.gcp_container_cluster:
     name: my-cluster

@@ -1,9 +1,10 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding Boolean's"  allow-rule-test
 apiVersion: v1
 kind: Pod
 metadata:
   name: security-context-demo
 spec:
-  automountServiceAccountToken: false
+  automountServiceAccountToken: false # negative1
   securityContext:
     runAsUser: 1000
     runAsGroup: 3000

@@ -1,3 +1,4 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding arn"  allow-rule-test
 - name: 'aws_codebuild integration tests'
   collections:
     - amazon.aws
@@ -22,7 +23,7 @@
           packaging: NONE
           type: CODEPIPELINE
           name: test
-        encryption_key: 'arn:aws:kms:{{ aws_region }}:{{ aws_account_id }}:alias/aws/s3'
+        encryption_key: 'arn:aws:kms:{{ aws_region }}:{{ aws_account_id }}:alias/aws/s3'  # negative1
         environment:
           compute_type: BUILD_GENERAL1_SMALL
           privileged_mode: true

@@ -1,5 +1,6 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding CloudFormation intrinsic functions"  allow-rule-test
 Conditions:
   HasKmsKey: !Not [!Equals [!Ref ParentKmsKeyStack, '']]
   HasSecretName: !Not [!Equals [!Ref ParentKmsKeyStack, '']]
-  HasPassword: !Not [!Equals [!Ref DBPassword, '']]
+  HasPassword: !Not [!Equals [!Ref DBPassword, '']] # negative1
 Resources:
@@ -1,46 +1,13 @@
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding TF resource access" allow-rule-test - #1 (line 10)
+# Global allow rule  - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding Boolean's"          allow-rule-test - #2 (line 11)
 Resources:
   LambdaFunctionV2:
     Type: 'AWS::Lambda::Function'
     Properties:
-      Code:
+      Code:       #1 & #2:
         ZipFile: |
-          'use strict';
-          const AWS = require('aws-sdk');
-          const response = require('cfn-response');
-          const iam = new AWS.IAM({apiVersion: '2010-05-08'});
-          exports.handler = (event, context, cb) => {
-            console.log(`Invoke: ${JSON.stringify(event)}`);
-            function done(err) {
-              if (err) {
-                console.log(`Error: ${JSON.stringify(err)}`);
-                response.send(event, context, response.FAILED, {});
-              } else {
-                response.send(event, context, response.SUCCESS, {});
-              }
-            }
-            if (event.RequestType === 'Delete') {
-              iam.deleteAccountPasswordPolicy({}, done);
-            } else if (event.RequestType === 'Create' || event.RequestType === 'Update') {
-              const params = {
-                MinimumPasswordLength: parseInt(event.ResourceProperties.MinimumPasswordLength, 10),
-                RequireSymbols: event.ResourceProperties.RequireSymbols === 'true',
-                RequireNumbers: event.ResourceProperties.RequireNumbers === 'true',
-                RequireUppercaseCharacters: event.ResourceProperties.RequireUppercaseCharacters === 'true',
-                RequireLowercaseCharacters: event.ResourceProperties.RequireLowercaseCharacters === 'true',
                 AllowUsersToChangePassword: event.ResourceProperties.AllowUsersToChangePassword === 'true',
-                HardExpiry: event.ResourceProperties.HardExpiry === 'true'
-              };
-              if (parseInt(event.ResourceProperties.MaxPasswordAge, 10) > 0) {
-                params.MaxPasswordAge = parseInt(event.ResourceProperties.MaxPasswordAge, 10);
-              }
-              if (parseInt(event.ResourceProperties.PasswordReusePrevention, 10) > 0) {
-                params.PasswordReusePrevention = parseInt(event.ResourceProperties.PasswordReusePrevention, 10);
-              }
-              iam.updateAccountPasswordPolicy(params, done);
-            } else {
-              cb(new Error(`unsupported RequestType: ${event.RequestType}`));
-            }
-          };
+                AllowUsersToChangePassword: false,
       Handler: 'index.handler'
       MemorySize: 128
       Role: !GetAtt 'LambdaRole.Arn'

@@ -1,3 +1,4 @@
+# "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99  - "Avoiding TF resource access"  allow-rule-test
 locals {
   secrets = {
     my_secret = random_password.my_password.result

@@ -1,3 +1,4 @@
+# Generic Negative Test - arbitrary git "token" references (dockerfile)
 FROM baseImage
 
 RUN apk add --no-cache git \