Automated Remediation Patch

[mrchoc]

Policy Remediation Report

Original File: sample-configs/application.properties
Validation Status: FAILED
Violations Detected: 11
Policy Used: policy/deny-application-properties.rego

---

🧩 Changes Summary

Total Changes: 22

Details

• ADDED → Added: "spring.datasource.password": "${DB_PASSWORD}",
• ADDED → Added: "management.endpoints.web.exposure.include": "health,info",
• ADDED → Added: "management.endpoint.health.show-details": "when-authorized",
• ADDED → Added: "logging.level.root": "INFO",
• ADDED → Added: "security.oauth2.client.client-secret": "${OAUTH2_CLIENT_SECRET}",
• ADDED → Added: "jwt.secret": "${JWT_SECRET}",
• ADDED → Added: "app.cors.allowed-origins": "https://mytrusteddomain.com",
• ADDED → Added: "file.upload-dir": "${FILE_UPLOAD_DIR}",
• ADDED → Added: "spring.mail.password": "${MAIL_PASSWORD}",
• ADDED → Added: "app.debug": "false",
• ADDED → Added: "app.admin.open": "false"
• REMOVED → Removed: "spring.datasource.password": "SuperSecretPassword123!",
• REMOVED → Removed: "management.endpoints.web.exposure.include": "*",
• REMOVED → Removed: "management.endpoint.health.show-details": "always",
• REMOVED → Removed: "logging.level.root": "DEBUG",
• REMOVED → Removed: "security.oauth2.client.client-secret": "DefinitelyNotSafeSecret",
• REMOVED → Removed: "jwt.secret": "ultrasecretjwtkeythatshouldntbecommitted",
• REMOVED → Removed: "app.cors.allowed-origins": "*",
• REMOVED → Removed: "file.upload-dir": "/tmp/uploads",
• REMOVED → Removed: "spring.mail.password": "MailPassw0rd!",
• REMOVED → Removed: "app.debug": "true",
• REMOVED → Removed: "app.admin.open": "true"

---

🔍 Validation Summary

Test Type	Total	Passed	Failed
Original	11	0	11
Patched	11	11	0

---

🚨 Violations Analysis

FAIL - sample-configs/application.properties - main - Actuator health details exposed. Use 'when-authorized' instead.
FAIL - sample-configs/application.properties - main - Administrative interface open. Restrict or disable in production.
FAIL - sample-configs/application.properties - main - CORS allowed for all origins. Restrict allowed origins.
FAIL - sample-configs/application.properties - main - Debug logging enabled. Set logging.level.root to INFO or higher in production.
FAIL - sample-configs/application.properties - main - Debug mode enabled. Disable debug in production.
FAIL - sample-configs/application.properties - main - Exposes all actuator endpoints. Only expose what is needed.
FAIL - sample-configs/application.properties - main - Hardcoded DB password found. Use environment variables.
FAIL - sample-configs/application.properties - main - Hardcoded JWT secret found. Use environment variables.
FAIL - sample-configs/application.properties - main - Hardcoded OAuth2 client secret found. Use environment variables.
FAIL - sample-configs/application.properties - main - Hardcoded file upload directory found. Use a persistent and restricted directory with environment variables
FAIL - sample-configs/application.properties - main - Hardcoded mail password found. Use environment variables.

11 tests, 0 passed, 0 warnings, 11 failures, 0 exceptions

---

🕒 Timing

• Start: 2025-11-15T14:09:45.056829Z
• End: 2025-11-15T14:09:58.751532Z
• Duration: 13.69 seconds

---

🧾 Patched Content

spring.datasource.url=jdbc:postgresql://db.example.com:5432/appdb
spring.datasource.username=app_user
spring.datasource.password=${DB_PASSWORD}
management.endpoints.web.exposure.include=health,info
management.endpoint.health.show-details=when-authorized
management.endpoints.web.base-path=/actuator
logging.level.root=INFO
logging.file.name=/var/log/myapp/app.log
security.oauth2.client.client-id=my-client
security.oauth2.client.client-secret=${OAUTH2_CLIENT_SECRET}
jwt.secret=${JWT_SECRET}
app.cors.allowed-origins=https://mytrusteddomain.com
file.upload-dir=${FILE_UPLOAD_DIR}
spring.mail.host=smtp.example.com
spring.mail.username=noreply@example.com
spring.mail.password=${MAIL_PASSWORD}
app.debug=false
app.admin.open=false