False positive by S6302 and S6400

Language: Terraform
Rules: S6302, S6400
SonarCloud, SonarLint IntelliJ Plugin 10.7.0.78874

resource "google_secret_manager_secret_iam_member" "secretAccessor" {
  project = var.project_id
  secret_id = var.secret_id
  role = "roles/secretmanager.secretAccessor"
  member  = var.member
}

SonarCloud message: “Make sure it is safe to grant that member full access to the resource.”

This is a false positive because this resource does not grant full access. It’s a reader role and it’s granted on the lowest level possible (GCP Secret resource).

I suspect that regex patterns used for identifying “full access” roles are too broad:

• HighPrivilegedRolesOnWorkloadResourcesCheck.java
• GcpPrivilegePolicyCheckPart.java

private static final String SENSITIVE_ROLES = ".*(?:admin|manager|owner|superuser).*";

This matches “roles/secretmanager.secretAccessor” although this is not a manager role but a role related to GCP Sceret Manager.

Hello Dirk,
Thank you very much for your report and your analysis!

I can confirm the false positive and I have created a ticket on our side to fix this issue in the future: Log in with Atlassian account
We will need to adjust the regular expression for resources that already contain one of the keywords we are looking for.

This issue should be fixed in the future.

Best regards,
Daniel