Create rule S7141(secrets): Chief Tools API tokens should not be disclosed (APPSEC-2232)

rules/S7141/metadata.json

@@ -0,0 +1,2 @@
+{
+}

rules/S7141/secrets/metadata.json

@@ -0,0 +1,56 @@
+{
+  "title": "Chief Tools API tokens should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-7141",
+  "sqKey": "S7141",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222642"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}

rules/S7141/secrets/rule.adoc

@@ -0,0 +1,61 @@
+
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+=== What is the potential impact?
+
+Leaking this secret can allow an attacker to exploit the Chief Tools API, and
+therefore any of the Chief apps.
+
+Below are some real-world scenarios that illustrate some impacts of an attacker
+exploiting the secret.
+
+==== Domain hijacking
+If the leaked secret gives an attacker a Cert Chief entitlement, the attacker
+can use it to stay informed about the certificates of your domain to
+automatically renew and take ownership of the next certificate. This can lead to
+a domain hijacking attack.
+
+==== Supply chain attacks
+If the leaked secret gives an attacker a Deploy Chief entitlement, then there
+may exist grave consequences beyond the compromise of source code. The attacker
+may inject malware, backdoors, or other harmful code into these private
+repositories.
+
+This can cause further security breaches inside the organization, but will also
+affect clients if the malicious code gets added to any products. Distributing
+code that (unintentionally) contains backdoors or malware can lead to widespread
+security vulnerabilities, reputational damage, and potential legal liabilities.
+
+==== Phishing and spam
+I the leaked secret gives an attacker a Tny entitlement, an attacker can use
+this API token to hide a malicious domain and use it in spam/phishing campaigns.
+
+Spam can cause users to be exposed to the following:
+
+* Unsolicited, inappropriate content
+* Fraudulent attempts to trick users into sending information or money
+* Abusive or hateful statements
+* False advertising or fraudulent claims
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+:example_secret: ctp_em36qdLHVWKcCm25gGc9oPhsrR0KYX2bymJH
+:example_name: chief-api-token
+:example_env: CHIEF_API_TOKEN 
+
+include::../../../shared_content/secrets/examples.adoc[]
+
+== Resources
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+