Asymmetric Private Key secret rule triggers on empty secret #2427
Assignees
Labels
kind/bug
Categorizes issue or PR as related to a bug.
Comments
|
Hello @paul-gould I will check this case and write to you Regards, Dmitriy |
6 tasks
|
Hello @paul-gould Thanks for your report! Fix will be contain in next release. Best Regards, Dmitriy |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Since 0.29.2, the asymmetric private key rule is triggering on
python3.9/site-packages/googleapiclient/discovery_cache/documents/appengine.v1.json. This is a schema definition and contains the textThis is using the GitHub trivy-action, which looks to have been updated to use trivy v 0.29.2 last night.
What did you expect to happen?
Detection not triggered as the keyblock only contains whitespace.
What happened instead?
Detection triggered.
Additional details (base image name, container registry info...):
Culprit looks to be the change made in aquasecurity/fanal@e8bca31. Adding the extra
-now means that the regex will match a whitespace-only keyblock, which didn't happen previously. However, I think the regex needs to be updated so that a keyblock that contains only whitespace is not a match.The text was updated successfully, but these errors were encountered: