Need to calculate secret options for fanal cache key #4796

DmitriyLewen · 2023-07-07T08:47:52Z

Discussed in #4791

There are problems with cache when scanning secrets.
We don't track the use of secret config file and its changes.

Line 50 in 5d76aba

// TODO: add secret scanner option here

So we can skip/add some results.
e.g.:

➜  trivy image --reset                                                                                                                 
2023-07-07T14:39:24.642+0600	INFO	Removing DB file...
2023-07-07T14:39:24.642+0600	INFO	Removing artifact caches...
➜  trivy image --scanners secret --secret-config trivy-config-secret.yaml quay.io/skupper/skupper-router@sha256:0d207c60a150cad4d7743def8c9fc3565724e8980c6d93c326ba26dde44c675e
2023-07-07T14:40:34.082+0600	INFO	Secret scanning is enabled
2023-07-07T14:40:34.082+0600	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-07-07T14:40:34.082+0600	INFO	Please see also https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation for faster secret detection
2023-07-07T14:40:34.085+0600	INFO	Loading trivy-config-secret.yaml for secret scanning...
2023-07-07T14:40:34.085+0600	INFO	Loading trivy-config-secret.yaml for secret scanning...

/usr/share/proton/examples/c/ssl-certs/tclient-private-key.pem (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: AsymmetricPrivateKey (private-key)
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Asymmetric Private Key
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 /usr/share/proton/examples/c/ssl-certs/tclient-private-key.pem:1 (added by 'COPY dir:197d381bfcf8167e314592c950a7857')
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 [ -----BEGIN ENCRYPTED PRIVATE KEY-----***-----END ENCRYPTED PRIVATE KEY-----
   2   
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

➜  trivy image --scanners secret quay.io/skupper/skupper-router@sha256:0d207c60a150cad4d7743def8c9fc3565724e8980c6d93c326ba26dde44c675e 
2023-07-07T14:40:56.374+0600	INFO	Secret scanning is enabled
2023-07-07T14:40:56.374+0600	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-07-07T14:40:56.374+0600	INFO	Please see also https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation for faster secret detection

/usr/share/proton/examples/c/ssl-certs/tclient-private-key.pem (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: AsymmetricPrivateKey (private-key)
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Asymmetric Private Key
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 /usr/share/proton/examples/c/ssl-certs/tclient-private-key.pem:1 (added by 'COPY dir:197d381bfcf8167e314592c950a7857')
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 [ -----BEGIN ENCRYPTED PRIVATE KEY-----***----END ENCRYPTED PRIVATE KEY-----
   2   
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

➜  trivy image --reset                                                                                                                 
2023-07-07T14:44:24.642+0600	INFO	Removing DB file...
2023-07-07T14:44:24.642+0600	INFO	Removing artifact caches...
➜  trivy image --scanners secret quay.io/skupper/skupper-router@sha256:0d207c60a150cad4d7743def8c9fc3565724e8980c6d93c326ba26dde44c675e
2023-07-07T14:45:00.847+0600	INFO	Secret scanning is enabled
2023-07-07T14:45:00.847+0600	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-07-07T14:45:00.847+0600	INFO	Please see also https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation for faster secret detection
➜  trivy image --scanners secret --secret-config trivy-config-secret.yaml quay.io/skupper/skupper-router@sha256:0d207c60a150cad4d7743def8c9fc3565724e8980c6d93c326ba26dde44c675e
2023-07-07T14:45:14.769+0600	INFO	Secret scanning is enabled
2023-07-07T14:45:14.769+0600	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-07-07T14:45:14.769+0600	INFO	Please see also https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation for faster secret detection
2023-07-07T14:45:14.772+0600	INFO	Loading trivy-config-secret.yaml for secret scanning...
2023-07-07T14:45:14.772+0600	INFO	Loading trivy-config-secret.yaml for secret scanning...

The text was updated successfully, but these errors were encountered:

DmitriyLewen added kind/bug Categorizes issue or PR as related to a bug. scan/secret Issues relating to secret scanning labels Jul 7, 2023

DmitriyLewen mentioned this issue Jul 18, 2023

feat(secret): add secret config file for cache calculation #4837

Merged

6 tasks

knqyf263 closed this as completed in #4837 Jul 23, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Need to calculate secret options for fanal cache key #4796

Need to calculate secret options for fanal cache key #4796

DmitriyLewen commented Jul 7, 2023

Need to calculate secret options for fanal cache key #4796

Need to calculate secret options for fanal cache key #4796

Comments

DmitriyLewen commented Jul 7, 2023

Discussed in #4791