Credential Leakage Checks

[derekwaters]

Hi,

I have some AAP users for whom I've built a couple of additional ansible-lint rules to detect possible password leakage (into git or into logs), as they migrate a large number of legacy playbooks into their system.

The first rule is intended to flag any password args (including url_password, proxy_password) in modules that aren't using variables ie. the passwords are in the clear in the playbook, not in Vault or an external secrets store. In a DevOps environment where the playbooks are being stored in github, this presents a risk of exposure of credentials that should be remedied.

The second rule is intended to try and detect passwords that might be being passed to a command or shell task as a command line parameter. If no_log is unset or False, this may cause Ansible to log passwords out in the clear. The detection is pretty imperfect, using a regex to try and check for password / pwd / pass parameters.

Is there any interest in me cleaning these up and raising a PR for them?