Skip to main content

SDLC policy controls with YARA

In this guide, we're creating an SDLC policy rule for a specific project in the package store.

1. Create the YARA ruleโ€‹

In your rl-secure package store, access the project directory where you want to place the custom YARA rule.

By default, every project directory contains the .yara directory.

Navigate to the .yara directory and create a file named My_SDLC_Rule.yara inside it.

2. Add the YARA rule contentsโ€‹

Open the newly created My_SDLC_Rule.yara file in a text editor.

Copy the YARA rule contents from any of the following examples into the file.

Example 1: Detect leaked PuTTy private keysโ€‹

Sensitive information like service access credentials and keys can (inadvertently) leak when preparing software packages for a release. This may be caused by weak or non-existing security practices, development environment or version control misconfiguration, and other factors.

You can create a custom policy that will set the package build status to FAIL when the presence of such sensitive information is detected in the package.

PuTTY is a free and open source SSH, Rlogin and Telnet client for multiple platforms. In this example, we have identified a pattern used for PuTTy encrypted private keys. We're specifying the pattern as a variable in the strings section, and the condition section indicates the YARA rule will be triggered when this pattern is found in a file.

When the rule is triggered, the policy configuration settings from the meta section will be applied. The CI/CD build status for the package will be set to fail, and the issue will be listed with medium severity with medium remediation effort in the report.

Example 1: YARA rule contents
rule PuTTy_Encrypted_Key : tc_policy
{
    meta:
        // [Mandatory] Naming schema: YRxxxxx
        tc_policy_identifier  = "YR10002"
 
        // [Optional ]
        tc_policy_status      = "fail" // Default: pass
        tc_policy_severity    = "medium" // Default: low
        tc_policy_effort      = "medium" // Default: low
        tc_policy_description = "Detects PuTTy encrypted private keys."
 
    strings:
        $putty_private_key = /SSH PRIVATE KEY FILE FORMAT 1.1\s{1,2}\\x00\\x03\\x00{6}(([\\x01-\\xff].){2}|(\\x00[\\x01-\\xff]){2})/s
 
    condition:
        $putty_private_key
}

Example 2: Detect leaked Tencent Cloud credentialsโ€‹

Sensitive information like service access credentials and keys can (inadvertently) leak when preparing software packages for a release. This may be caused by weak or non-existing security practices, development environment or version control misconfiguration, and other factors.

You can create a custom policy that will set the package build status to FAIL when the presence of such sensitive information is detected in the package.

Tencent Cloud is a Chinese-owned cloud computing platform. In this example, we have identified a pattern used for Tencent Cloud plaintext credentials. We're specifying the patterns for secret IDs and secret keys as variables in the strings section. The condition section indicates the YARA rule will be triggered when secret ID and key pairs are detected in a file.

When the rule is triggered, the policy configuration settings from the meta section will be applied. The CI/CD build status for the package will be set to fail, and the issue will be listed with high severity with medium remediation effort in the report.

Example 2: YARA rule contents
rule Tencent_Credentials : tc_policy
{
    meta:
        // [Mandatory] Naming schema: YRxxxxx
        tc_policy_identifier  = "YR10003"
 
        // [Optional ]
        tc_policy_status      = "fail" // Default: pass
        tc_policy_severity    = "high" // Default: low
        tc_policy_effort      = "medium" // Default: low
        tc_policy_description = "Detects plaintext Tencent Cloud credentials."
 
    strings:
        $tencent_secret_id  = /(^|[^A-Za-z0-9]|[^A-Za-z0-9])AKID[A-Za-z0-9]{32}($|[^A-Za-z0-9])/
        $tencent_secret_key = /(secret_?(key)?).{1,64}[^A-Za-z0-9_\-][A-Za-z0-9]{32}[^A-Za-z0-9_\-]/i

    condition:
        for any i in (1..#tencent_secret_id) : (
            for any j in (1..#tencent_secret_key) : (
                (@tencent_secret_key[j] < (@tencent_secret_id[i] + 100)) and (@tencent_secret_key[j] > (@tencent_secret_id[i] - 100))
        )
    )
}

3. Enable the ruleโ€‹

Save your changes to the My_SDLC_Rule.yara file.

After saving changes to the rule, synchronize the project to apply the rule to all packages in the project.

rl-secure sync pkg:rl/my-project

You can confirm the rule has been used during analysis by looking at the report.

Export the HTML report for a package version in the project:

rl-secure report rl-html pkg:rl/my-project/my-package@version

Open the HTML report in your web browser and navigate to the Issues page accessed from the sidebar on the left-hand side.

The YARA rule should be listed in the Policy Violations > YARA Policies section.