I recently implemented Guardrails into my pull requests in GitHub. At this point I’ve only added the security module as it’s a new application.
When I submitted a pull request to merge my branch to master I noticed two common findings from Guardrails.
-
$_SESSION[‘scriptcase’][‘nm_bases_security’] = “enc_nm_enc_v1D9JKZSBiZ1N7V5FUHgvsDkBsDuX7VEF7DcFYVINUHArYHuB/DENODkXKH5F/HIJsD9XsZ9JeD1BeD5F7DMvmVcBUDWJeHMBiD9BsVIraD1rwV5X7HgBeHEFiHEB3ZuJeHQNmH9BiD1BeV5XGHgrwVcFeDWF/DoraHQNwZ1X7DSrYZMJwDENOVkJ3DWF/VoBiDcJUZSX7Z1BYHuFaHuzGVcFKDWFYVoJwD9BsZ1FaDSrYD5JeDErKHEXeDuFYDoFUDcJeH9FGHANOV5JwHuNOVIFCHEF/DoraHQJmZ1F7Z1vmD5rqDEBOHArCDWBmDoB/DcJeDQFGHAveV5JeHgrYDkBODWF/VoraD9XOZSB/Z1rYD5BiDMBYHEXeH5F/VoFaDcXOZSFGHABYV5BqHgrKVcFCDWJeVoFGHQFYZSFaHArKV5XGDErKHErCDWF/VoBiDcJUZSX7Z1BYHuFaDMvmV9FeH5XCDoXGHQBsZSBOHAN7HQBODMBYHArsDWXCHMJeHQXsH9BiHAveD5NUHgNKDkBOV5FYHMBiHQBiZkBiDSvmZMBqHgBOHArCDuFaHIJwHQXOZ9JeZ1BYHuBqDMzGVIBsDuX7HMX7HQXGVIraZ1vOD5XGHgvsHArsDWXCHMBqHQXsZ9rqZ1BYHQJeDMNOZSJqDuX7HMXGDcFYZ1FUD1rwV5FGDEBeHEXeH5X/DoF7HQNwDQBqDSvCVWBqDMNOV9FeDWF/HIFUDcFYVIJwZ1rYHQNUHgrKDkB/DWXCHMJsHQXODQBOZ1BYHQJwDMBOVcFeV5F/HIX7HQJmZkFUZ1vOZMB/HgBeHEJqDuXKDoXGDcXGZ9JeD1BeD5rqHuvmVcBOH5B7VoBqHQXOZkBiDSvmZMFaHgveZSJ3V5FqHIXGHQJeDQBOZ1BYHuXGHgvOVcXKDWJeHMF7HQNwZkFUZ1rYHQFaHgBeDkB/HEFqHMFaHQXsZ9rqZ1zGVWJwDMNOVcB/H5FqHMBOHQXOVIJwD1rwV5FGDEBeHEXeH5X/DoF7D9NwZSX7D1BeV5raHuzGVcFKDWFaVENUD9JmZ1X7Z1BeHQX7HgBYDkFeV5FaHMJsD9NwH9X7Z1rwD5XGHuzGVIBODWFaDoXGDcBwZ1FGHANOV5JeDEBOHEFiDWFqDoXGHQXGZSBiZ1N7D5JwHuBYVcFeV5FYVoB/D9JmH9B/D1zGD5FaDEvsDkXKHEB7VoFGD9NwDQJsHIrKV5JeDMvsVcBUDWXKVoraD9BiH9FaHIBeZMBODErKVkXeV5FaDoB/D9NmDQBOZ1rwV5BqHgvsDkFCDWJeDoFGD9XOZ1rqD1rKD5rqDMBYHEJGH5FYVoB/HQXGZ9rqD1BeD5rqHuvmVcBOH5B7VoBqD9XOH9B/D1rwD5BiDEBeHEFiV5FaDoXGD9NmDQB/Z1rwHuB/HuzGDkFCDWFYVoFGHQBiZ1F7HABYD5BqDEvsHEFiV5FaDoBOHQJKDQJsZ1vCV5FGHuNOV9FeDWB3VoX7HQNmZ1BiHAvCZMB/HgveHErsDWrGDoBqHQXOH9BiHAveD5NUHgNKDkBOV5FYHMBiHQJmVINUHIveHQNUHgveZSJGDWF/DoBqDcBiDQFGHIrwHuFaHuNOZSrCH5FqDoXGHQJmZ1X7HArKV5FaDEvsHEFiDWFqDoJeDcJUDQFaDSrwV5BOHgvsVcFCDuX7DoraD9BiZ1rqDSNOV5JsDENOHArCDWF/VoBiDcJUZSX7Z1BYHuFaDMvsV9FiV5BmVorq”;
-
$this->Ini->Css_status_pwd_box = “scFormInputErrorPwdBox”;
#1 was flagged as Base64 High Entropy String
#2 was flagged as Secret Keyword
After closely looking at both I believe these are both false positive hits in Guardrail.
Has anyone else used a code quality scanner and found similar results? Is this something I should be worried about when I release the code to Production on a public website?