The External Secrets Inc. Audit & Compliance product suite is a premium product. It requires a specific subscription. Contact us for more information.

Cross Provider Duplication

This policy example will check if a given secret is duplicated between two providers. The policy will be non-compliant if the secret is duplicated between two providers.

Policy Execution Time

This policy example should be executed on Result events.

Default Deny, Allow Case-by-Case Policy Code

package main
import rego.v1

default allow := false
# Allow if secret has no duplicates at all
allow if {
  len(input.Duplicates) == 0
}

# Allow if all duplicates are from the same provider as the secret itself
allow if {
  provider_id := input.ProviderId
  count({x | input.Duplicates[x]; same_provider(input.Duplicates[x],provider_id)}) == len(input.Duplicates)
}

same_provider(key,base) if {
  key.Provider == base
}