Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 False-Positive Secret Detection - Base64String Matches AWS Access Key ID Pattern #2060

Closed
1 of 2 tasks
AErmie opened this issue Apr 27, 2022 · 9 comments
Closed
1 of 2 tasks

🐛 False-Positive Secret Detection - Base64String Matches AWS Access Key ID Pattern #2060

AErmie opened this issue Apr 27, 2022 · 9 comments
Assignees
@DmitriyLewen
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed.

Comments

@AErmie
Copy link

AErmie commented Apr 27, 2022

Checklist

  • I've read the documentation regarding wrong detection.
  • I've confirmed that a security advisory in data sources was correct.
    • Run Trivy with -f json that shows data sources and make sure that the security advisory is correct.

Note: I was not able to confirm the data sources for the security advisory based on the output.

Description

Trivy image scan identifies a critical secret vulnerability. We believe this is a false positive, as the matched "secret" is actually part of a base64string of a mock image we have in the source code and gets transpired in a backend.js file.

We don't want to suppress the secret rule completely (as we want to catch any legitimate ones).

JSON Output of run with -debug:

Trivy Debug output

2022-04-27T15:23:18.338Z	DEBUG	Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-04-27T15:23:18.339Z	DEBUG	cache dir:  /.cache
2022-04-27T15:23:18.339Z	DEBUG	DB update was skipped because the local DB is the latest
2022-04-27T15:23:18.339Z	DEBUG	DB Schema: 2, UpdatedAt: 2022-04-27 12:11:31.854478279 +0000 UTC, NextUpdate: 2022-04-27 18:11:31.854477779 +0000 UTC, DownloadedAt: 2022-04-27 15:23:17.037588799 +0000 UTC
2022-04-27T15:23:18.339Z	DEBUG	Vulnerability type:  [os library]
2022-04-27T15:23:18.342Z	DEBUG	No secret config detected: trivy-secret.yaml
2022-04-27T15:23:18.342Z	DEBUG	Image ID: sha256:35660d82fcd6208eafd8b5c0efe3efb5b825b2ea02e02af466be573c85e304e1
2022-04-27T15:23:18.342Z	DEBUG	Diff IDs: [sha256:4fc242d58285699eca05db3cc7c7122a2b8e014d9481f323bd9277baacfa0628 sha256:cdb4a052fad7cfcbe8a8bcd37edb2da38de007f259ddb31deeedd8860f14e601 sha256:b5a53db2b893ada6519f1d261e83866ffa7f650eee6cbf0dbc4b172a98c114fc sha256:9c8958a02c6e3fcc89c7de2299c6a56c79777b5374e49b46d0c1f44ac07ba3fc sha256:3a53a4029ebdc781d7419ae570688859f2a627be0d289c84f49a3be655903973 sha256:b098c7dbb7cccbd1de3b992a6ad1a6fbcab01609ff6e7d86e79c135e0535fc62 sha256:09f2f6cafe72823f33dd566f1d127759f4796bd88695be833b8bf6bda9a81a1a sha256:42329f51e8fbb64538d3bfeb1c9e3c4c5822eb934c561350bae7ca45bacc5471 sha256:e123887aba9a55f5c0b56e046abdbd93e9d9bf3db97de448711bf7bed0b3ba03 sha256:31ead3a476dfafc438526c440d84585953ffeab5b1614a0a50c9d74854c2c619 sha256:aae9aa238b19dbfd33d61d5cbe7f23a0fb0b7b8c99a9d0c3b0c454a8a1745532]
2022-04-27T15:23:18.342Z	DEBUG	Base Layers: [sha256:4fc242d58285699eca05db3cc7c7122a2b8e014d9481f323bd9277baacfa0628 sha256:cdb4a052fad7cfcbe8a8bcd37edb2da38de007f259ddb31deeedd8860f14e601 sha256:b5a53db2b893ada6519f1d261e83866ffa7f650eee6cbf0dbc4b172a98c114fc sha256:9c8958a02c6e3fcc89c7de2299c6a56c79777b5374e49b46d0c1f44ac07ba3fc]
2022-04-27T15:23:18.344Z	DEBUG	Missing image ID in cache: sha256:35660d82fcd6208eafd8b5c0efe3efb5b825b2ea02e02af466be573c85e304e1
2022-04-27T15:23:18.347Z	DEBUG	Missing diff ID in cache: sha256:3a53a4029ebdc781d7419ae570688859f2a627be0d289c84f49a3be655903973
2022-04-27T15:23:18.347Z	DEBUG	Missing diff ID in cache: sha256:42329f51e8fbb64538d3bfeb1c9e3c4c5822eb934c561350bae7ca45bacc5471
2022-04-27T15:23:18.347Z	DEBUG	Missing diff ID in cache: sha256:b098c7dbb7cccbd1de3b992a6ad1a6fbcab01609ff6e7d86e79c135e0535fc62
2022-04-27T15:23:18.347Z	DEBUG	Missing diff ID in cache: sha256:09f2f6cafe72823f33dd566f1d127759f4796bd88695be833b8bf6bda9a81a1a
2022-04-27T15:23:18.347Z	DEBUG	Missing diff ID in cache: sha256:cdb4a052fad7cfcbe8a8bcd37edb2da38de007f259ddb31deeedd8860f14e601
2022-04-27T15:23:18.348Z	DEBUG	Missing diff ID in cache: sha256:e123887aba9a55f5c0b56e046abdbd93e9d9bf3db97de448711bf7bed0b3ba03
2022-04-27T15:23:18.348Z	DEBUG	Missing diff ID in cache: sha256:31ead3a476dfafc438526c440d84585953ffeab5b1614a0a50c9d74854c2c619
2022-04-27T15:23:18.348Z	DEBUG	Missing diff ID in cache: sha256:b5a53db2b893ada6519f1d261e83866ffa7f650eee6cbf0dbc4b172a98c114fc
2022-04-27T15:23:18.348Z	DEBUG	Missing diff ID in cache: sha256:9c8958a02c6e3fcc89c7de2299c6a56c79777b5374e49b46d0c1f44ac07ba3fc
2022-04-27T15:23:18.348Z	DEBUG	Missing diff ID in cache: sha256:aae9aa238b19dbfd33d61d5cbe7f23a0fb0b7b8c99a9d0c3b0c454a8a1745532
<snip>
2022-04-27T15:23:32.793Z	INFO	Detected OS: alpine
2022-04-27T15:23:32.793Z	INFO	Detecting Alpine vulnerabilities...
2022-04-27T15:23:32.793Z	DEBUG	alpine: os version: 3.15
2022-04-27T15:23:32.793Z	DEBUG	alpine: package repository: 3.15
2022-04-27T15:23:32.793Z	DEBUG	alpine: the number of packages: 16
2022-04-27T15:23:32.794Z	INFO	Number of language-specific files: 2
2022-04-27T15:23:32.794Z	INFO	Detecting gobinary vulnerabilities...
2022-04-27T15:23:32.794Z	DEBUG	Detecting library vulnerabilities, type: gobinary, path: app/node_modules/esbuild/bin/esbuild
2022-04-27T15:23:32.794Z	INFO	Detecting node-pkg vulnerabilities...
2022-04-27T15:23:32.794Z	DEBUG	Detecting library vulnerabilities, type: node-pkg, path: 
2022-04-27T15:23:32.816Z	DEBUG	Secret file: app/dist/backend/backend.js
2022-04-27T15:23:32.817Z	DEBUG	Found an ignore file .trivyignore
2022-04-27T15:23:32.817Z	DEBUG	These IDs will be ignored: []

Trivy -f JSON output

{
  "SchemaVersion": 2,
  "ArtifactName": "myapp-backend:20220427-24",
  "ArtifactType": "container_image",
  "Metadata": {
    "OS": {
      "Family": "alpine",
      "Name": "3.15.4"
    },
    "ImageID": "sha256:35660d82fcd6208eafd8b5c0efe3efb5b825b2ea02e02af466be573c85e304e1",
    "DiffIDs": [
      "sha256:4fc242d58285699eca05db3cc7c7122a2b8e014d9481f323bd9277baacfa0628",
      "sha256:cdb4a052fad7cfcbe8a8bcd37edb2da38de007f259ddb31deeedd8860f14e601",
      "sha256:b5a53db2b893ada6519f1d261e83866ffa7f650eee6cbf0dbc4b172a98c114fc",
      "sha256:9c8958a02c6e3fcc89c7de2299c6a56c79777b5374e49b46d0c1f44ac07ba3fc",
      "sha256:3a53a4029ebdc781d7419ae570688859f2a627be0d289c84f49a3be655903973",
      "sha256:b098c7dbb7cccbd1de3b992a6ad1a6fbcab01609ff6e7d86e79c135e0535fc62",
      "sha256:09f2f6cafe72823f33dd566f1d127759f4796bd88695be833b8bf6bda9a81a1a",
      "sha256:42329f51e8fbb64538d3bfeb1c9e3c4c5822eb934c561350bae7ca45bacc5471",
      "sha256:e123887aba9a55f5c0b56e046abdbd93e9d9bf3db97de448711bf7bed0b3ba03",
      "sha256:31ead3a476dfafc438526c440d84585953ffeab5b1614a0a50c9d74854c2c619",
      "sha256:aae9aa238b19dbfd33d61d5cbe7f23a0fb0b7b8c99a9d0c3b0c454a8a1745532"
    ],
    "RepoTags": [
      "myapp-backend:20220427-24"
    ],
   "ImageConfig": {
      "architecture": "amd64",
      "created": "2022-04-27T15:23:03.687884974Z",
      "history": [
        {
          "created": "2022-04-05T00:19:59Z",
          "created_by": "/bin/sh -c #(nop) ADD file:5d673d25da3a14ce1f6cf66e4c7fd4f4b85a3759a9d93efb3fd9ff852b5b56e4 in / "
        },
        {
          "created": "2022-04-05T00:19:59Z",
          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
          "empty_layer": true
        },
        {
          "created": "2022-04-05T10:10:43Z",
          "created_by": "/bin/sh -c #(nop)  ENV NODE_VERSION=16.14.2",
          "empty_layer": true
        },
        {
          "created": "2022-04-05T10:10:51Z",
          "created_by": "/bin/sh -c addgroup -g 1000 node     \u0026\u0026 adduser -u 1000 -G node -s /bin/sh -D node     \u0026\u0026 apk add --no-cache         libstdc++     \u0026\u0026 apk add --no-cache --virtual .build-deps         curl     \u0026\u0026 ARCH= \u0026\u0026 alpineArch=\"$(apk --print-arch)\"       \u0026\u0026 case \"${alpineArch##*-}\" in         x86_64)           ARCH='x64'           CHECKSUM=\"a6dc255e1ef1f20372306eec932b4a3648575c6d3024bcd685b8efc93dc95569\"           ;;         *) ;;       esac   \u0026\u0026 if [ -n \"${CHECKSUM}\" ]; then     set -eu;     curl -fsSLO --compressed \"[https://unofficial-builds.nodejs.org/download/release/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz\";](https://unofficial-builds.nodejs.org/download/release/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz/%22;)     echo \"$CHECKSUM  node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz\" | sha256sum -c -       \u0026\u0026 tar -xJf \"node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz\" -C /usr/local --strip-components=1 --no-same-owner       \u0026\u0026 ln -s /usr/local/bin/node /usr/local/bin/nodejs;   else     echo \"Building from source\"     \u0026\u0026 apk add --no-cache --virtual .build-deps-full         binutils-gold         g++         gcc         gnupg         libgcc         linux-headers         make         python3     \u0026\u0026 for key in       4ED778F539E3634C779C87C6D7062848A1AB005C       141F07595B7B3FFE74309A937405533BE57C7D57       94AE36675C464D64BAFA68DD7434390BDBE9B9C5       74F12602B6F1C4E913FAA37AD3A89613643B6201       71DCFD284A79C3B38668286BC97EC7A07EDE3FC1       8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600       C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8       C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C       DD8F2338BAE7501E3DD5AC78C273792F7D83545D       A48C2BEE680E841632CD4E44F07496B3EB3C1762       108F52B48DB57BB0CC439B2997B01419BD92F80A       B9E2F5981AA6E0CD28160D9FF13993A75599653C     ; do       gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys \"$key\" ||       gpg --batch --keyserver keyserver.ubuntu.com --recv-keys \"$key\" ;     done     \u0026\u0026 curl -fsSLO --compressed \"[https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz\"](https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz/%22)     \u0026\u0026 curl -fsSLO --compressed \"[https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc\"](https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc/%22)     \u0026\u0026 gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc     \u0026\u0026 grep \" node-v$NODE_VERSION.tar.xz\\$\" SHASUMS256.txt | sha256sum -c -     \u0026\u0026 tar -xf \"node-v$NODE_VERSION.tar.xz\"     \u0026\u0026 cd \"node-v$NODE_VERSION\"     \u0026\u0026 ./configure     \u0026\u0026 make -j$(getconf _NPROCESSORS_ONLN) V=     \u0026\u0026 make install     \u0026\u0026 apk del .build-deps-full     \u0026\u0026 cd ..     \u0026\u0026 rm -Rf \"node-v$NODE_VERSION\"     \u0026\u0026 rm \"node-v$NODE_VERSION.tar.xz\" SHASUMS256.txt.asc SHASUMS256.txt;   fi   \u0026\u0026 rm -f \"node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz\"   \u0026\u0026 apk del .build-deps   \u0026\u0026 node --version   \u0026\u0026 npm --version"
        },
        {
          "created": "2022-04-05T10:10:51Z",
          "created_by": "/bin/sh -c #(nop)  ENV YARN_VERSION=1.22.18",
          "empty_layer": true
        },
        {
          "created": "2022-04-05T10:10:55Z",
          "created_by": "/bin/sh -c apk add --no-cache --virtual .build-deps-yarn curl gnupg tar   \u0026\u0026 for key in     6A010C5166006599AA17F08146C2130DFD2497F5   ; do     gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys \"$key\" ||     gpg --batch --keyserver keyserver.ubuntu.com --recv-keys \"$key\" ;   done   \u0026\u0026 curl -fsSLO --compressed \"[https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz\"](https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz/%22)   \u0026\u0026 curl -fsSLO --compressed \"[https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc\"](https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc/%22)   \u0026\u0026 gpg --batch --verify yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz   \u0026\u0026 mkdir -p /opt   \u0026\u0026 tar -xzf yarn-v$YARN_VERSION.tar.gz -C /opt/   \u0026\u0026 ln -s /opt/yarn-v$YARN_VERSION/bin/yarn /usr/local/bin/yarn   \u0026\u0026 ln -s /opt/yarn-v$YARN_VERSION/bin/yarnpkg /usr/local/bin/yarnpkg   \u0026\u0026 rm yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz   \u0026\u0026 apk del .build-deps-yarn   \u0026\u0026 yarn --version"
        },
        {
          "created": "2022-04-05T10:10:55Z",
          "created_by": "/bin/sh -c #(nop) COPY file:4d192565a7220e135cab6c77fbc1c73211b69f3d9fb37e62857b2c6eb9363d51 in /usr/local/bin/ "
        },
        {
          "created": "2022-04-05T10:10:56Z",
          "created_by": "/bin/sh -c #(nop)  ENTRYPOINT [\"docker-entrypoint.sh\"]",
          "empty_layer": true
        },
        {
          "created": "2022-04-05T10:10:56Z",
          "created_by": "/bin/sh -c #(nop)  CMD [\"node\"]",
          "empty_layer": true
        },
        {
          "created": "2022-04-27T13:15:28Z",
          "created_by": "RUN /bin/sh -c npm install -g [email protected] # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2022-04-27T13:15:28Z",
          "created_by": "USER node",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2022-04-27T13:15:28Z",
          "created_by": "WORKDIR /app",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2022-04-27T15:22:56Z",
          "created_by": "COPY /app/dist/backend /app/dist/backend # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2022-04-27T15:22:56Z",
          "created_by": "COPY /app/package.json /app # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2022-04-27T15:23:03Z",
          "created_by": "COPY /app/node_modules /app/node_modules # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2022-04-27T15:23:03Z",
          "created_by": "COPY /app/src/features-* /app/src/ # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2022-04-27T15:23:03Z",
          "created_by": "COPY /app/src/controllers/v1/mock/data/currentUser /app/src/controllers/v1/mock/data/currentUser # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2022-04-27T15:23:03Z",
          "created_by": "EXPOSE map[3000/tcp:{}]",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2022-04-27T15:23:03Z",
          "created_by": "CMD [\"node\" \"/app/dist/backend/backend.js\"]",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        }
      ],
      "os": "linux",
      "rootfs": {
        "type": "layers",
        "diff_ids": [
          "sha256:4fc242d58285699eca05db3cc7c7122a2b8e014d9481f323bd9277baacfa0628",
          "sha256:cdb4a052fad7cfcbe8a8bcd37edb2da38de007f259ddb31deeedd8860f14e601",
          "sha256:b5a53db2b893ada6519f1d261e83866ffa7f650eee6cbf0dbc4b172a98c114fc",
          "sha256:9c8958a02c6e3fcc89c7de2299c6a56c79777b5374e49b46d0c1f44ac07ba3fc",
          "sha256:3a53a4029ebdc781d7419ae570688859f2a627be0d289c84f49a3be655903973",
          "sha256:b098c7dbb7cccbd1de3b992a6ad1a6fbcab01609ff6e7d86e79c135e0535fc62",
          "sha256:09f2f6cafe72823f33dd566f1d127759f4796bd88695be833b8bf6bda9a81a1a",
          "sha256:42329f51e8fbb64538d3bfeb1c9e3c4c5822eb934c561350bae7ca45bacc5471",
          "sha256:e123887aba9a55f5c0b56e046abdbd93e9d9bf3db97de448711bf7bed0b3ba03",
          "sha256:31ead3a476dfafc438526c440d84585953ffeab5b1614a0a50c9d74854c2c619",
          "sha256:aae9aa238b19dbfd33d61d5cbe7f23a0fb0b7b8c99a9d0c3b0c454a8a1745532"
        ]
      },
      "config": {
        "Cmd": [
          "node",
          "/app/dist/backend/backend.js"
        ],
        "Entrypoint": [
          "docker-entrypoint.sh"
        ],
        "Env": [
          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
          "NODE_VERSION=16.14.2",
          "YARN_VERSION=1.22.18"
        ],
        "User": "node",
        "WorkingDir": "/app",
        "ArgsEscaped": true
      }
    }
  },
  "Results": [
    {
      "Target": "myapp-backend:20220427-24 (alpine 3.15.4)",
      "Class": "os-pkgs",
      "Type": "alpine"
    },
    {
      "Target": "Node.js",
      "Class": "lang-pkgs",
      "Type": "node-pkg"
    },
    {
      "Target": "app/node_modules/esbuild/bin/esbuild",
      "Class": "lang-pkgs",
      "Type": "gobinary"
    },
    {
      "Target": "app/dist/backend/backend.js",
      "Class": "secret",
      "Secrets": [
        {
          "RuleID": "aws-access-key-id",
          "Category": "AWS",
          "Severity": "CRITICAL",
          "Title": "AWS Access Key ID",
          "StartLine": 34209,
          "EndLine": 34209,
          "Match": "EVGSTo7PxJlV0hOIYOEZ1w//EABwBA*****AECAAMEBQYHCP/EAEURA"
        }
      ]
    }
  ]
}

Output of trivy -v:

Digest: sha256:5c8043510bb84ed663a4c0b23887c96edb7e78093bceef0083921887e961494f
Status: Downloaded newer image for aquasec/trivy:latest
docker.io/aquasec/trivy:latest
Version: 0.27.1

Additional details (base image name, container registry info...):

  • Base image is node:16-alpine3.15

I am running Trivy via the Docker container using the following:

docker run --rm \
  --volume /var/run/docker.sock:/var/run/docker.sock \
  --name Trivy aquasec/trivy:latest --debug \
  --ignore-unfixed --exit-code 0 --format json \
  myapp-backend:123
@AErmie AErmie added the kind/bug Categorizes issue or PR as related to a bug. label Apr 27, 2022
@danbrad
Copy link

danbrad commented May 4, 2022

It appears that this is also happening for me, for portions of the default web.config file in windows containers.

            <fullTrustAssemblies>
                <add
                    assemblyName="Microsoft.VisualStudio.Enterprise.AspNetHelper" 
                    version="11.0.0.0"
                    publicKey="002400000480000094000000060200000024000052534131000400000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E821C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8A12436518206DC093344D5AD293"
                />


Files/Windows/Microsoft.NET/Framework/v4.0.30319/Config/web.config.default (secrets)
====================================================================================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 4)

+----------+-----------------------+----------+---------+-------------------------------------+
| CATEGORY |      DESCRIPTION      | SEVERITY | LINE NO |                MATCH                |
+----------+-----------------------+----------+---------+-------------------------------------+
|   AWS    | AWS Secret Access Key | CRITICAL |   28    | publicKey=*****52534131000400000100 |
+          +                       +          +---------+                                     +
|          |                       |          |   33    |                                     |
+          +                       +          +---------+                                     +
|          |                       |          |   38    |                                     |
+          +                       +          +---------+                                     +
|          |                       |          |   43    |                                     |
+----------+-----------------------+----------+---------+-------------------------------------+

@DmitriyLewen
Copy link
Contributor

hello @AErmie @danbrad !
Thanks for your reports.

We will work with your problems.

At the moment, you can use trivy-secret.yaml file to skip this category or files.
more information about configuration of secrets here

Regards, Dmitriy

@DmitriyLewen DmitriyLewen mentioned this issue May 5, 2022
Merged
@AErmie
Copy link
Author

AErmie commented May 5, 2022

Thanks @DmitriyLewen, in the Secrets Configuration documentation, I don't see an example of how to skip a specific file or directory. I only see how to disable rules.

Can the documentation be updated with an example on how to ignore paths/files? Thanks.

@DmitriyLewen
Copy link
Contributor

@AErmie use --skip-dirs or --skip-files flags to ignore dirs or files.
Example here

@knqyf263
Copy link
Collaborator

knqyf263 commented May 6, 2022

@AErmie Please see also:
https://aquasecurity.github.io/trivy/v0.27.1/docs/secret/scanning/#recommendation

We're trying to improve this rule now. Thanks for your patience.

@AErmie
Copy link
Author

AErmie commented May 9, 2022

Thanks @knqyf263, my apologies, what I meant was, I didn't see an example of how to include skipping a specific file or directory using the trivy-secret.yaml file.

Thank you for everyone's work on improving the rule.

@foozmeat
Copy link

I also need an example of ignoring a path from a config file. I want the ignored files to be in source control and not configured on the command line.

@foozmeat
Copy link

For instance I would expect the following to ignore files under /opt/venv but it doesn't work

allow-rules:
  - id: ignore_venv
    path: /opt/venv/.*

@DmitriyLewen DmitriyLewen mentioned this issue May 12, 2022
Merged
@github-actions
Copy link

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Jul 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@danbrad @foozmeat @knqyf263 @AErmie @DmitriyLewen