Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Some secret detection regexes expect the value to be surrounded by quotes #6787

Closed
2 tasks done
nikpivkin opened this issue May 27, 2024 Discussed in #6785 · 3 comments · Fixed by #7627
Closed
2 tasks done

Some secret detection regexes expect the value to be surrounded by quotes #6787

nikpivkin opened this issue May 27, 2024 Discussed in #6785 · 3 comments · Fixed by #7627
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/secret Issues relating to secret scanning

Comments

@nikpivkin
Copy link
Contributor

Discussed in #6785

Originally posted by asankov May 27, 2024

Description

I am playing around with the secret detection features and I see that some matchers like grafana-api-token, hashicorp-tf-api-token and others expect that the value of the token is surrounded by quotes ['\"].

This means that If I have a file like this:

grafana:
    token: eyJrIjoiNjQyOT...

or

GRAFANA_TOKEN=eyJrIjoiNjQyOT...

the value would not be detected by the scanner.

What is the reason to expect them to be like that?

Desired Behavior

The token is matched regardless of whether the value is surrounded by quotes or not.

Actual Behavior

Token is not matched unless value is in quotes.

Reproduction Steps

1. Create a YAML or .env file similar to the one I provided in the description of the issue.
2. Run it via the secret detector
3. Observe that no findings are reported

Target

Filesystem

Scanner

Secret

Output Format

None

Mode

None

Debug Output

$ trivy fs secrets --debug
2024-05-27T13:40:23+03:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-05-27T13:40:23+03:00	DEBUG	Ignore statuses	statuses=[]
2024-05-27T13:40:23+03:00	DEBUG	Cache dir	dir="/Users/asankov/Library/Caches/trivy"
2024-05-27T13:40:23+03:00	DEBUG	DB update was skipped because the local DB is the latest
2024-05-27T13:40:23+03:00	DEBUG	DB info	schema=2 updated_at=2024-05-27T06:12:09.854561954Z next_update=2024-05-27T12:12:09.854561794Z downloaded_at=2024-05-27T10:39:59.156462Z
2024-05-27T13:40:23+03:00	INFO	Vulnerability scanning is enabled
2024-05-27T13:40:23+03:00	DEBUG	Vulnerability type	type=[os library]
2024-05-27T13:40:23+03:00	INFO	Secret scanning is enabled
2024-05-27T13:40:23+03:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-27T13:40:23+03:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-27T13:40:23+03:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-05-27T13:40:23+03:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-05-27T13:40:23+03:00	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2024-05-27T13:40:23+03:00	DEBUG	OS is not detected.
2024-05-27T13:40:23+03:00	DEBUG	Detected OS: unknown
2024-05-27T13:40:23+03:00	INFO	Number of language-specific files	num=0

Operating System

macOS

Version

Version: 0.51.4
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-05-27 06:12:09.854561954 +0000 UTC
  NextUpdate: 2024-05-27 12:12:09.854561794 +0000 UTC
  DownloadedAt: 2024-05-27 10:39:59.156462 +0000 UTC

Checklist

@nikpivkin nikpivkin added kind/bug Categorizes issue or PR as related to a bug. scan/secret Issues relating to secret scanning labels May 27, 2024
@asankov
Copy link

asankov commented May 27, 2024

Do you want me to contribute a fix?

It will be trivial to make the quotes optional.

@nikpivkin
Copy link
Contributor Author

@asankov Thanks for your interest! Trivy is open for contributions https://github.com/aquasecurity/trivy/blob/main/CONTRIBUTING.md

@sgaist
Copy link
Contributor

sgaist commented Sep 30, 2024

Hi,

I would like to tackle this for Hacktoberfest.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/secret Issues relating to secret scanning
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants