JWT secret detector only works if "JWT" word is in scope #6802
Labels
help wanted
Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.
kind/bug
Categorizes issue or PR as related to a bug.
Discussed in #6786
Originally posted by asankov May 27, 2024
Description
The secret detector would not detect a JWT unless there is the word "JWT" somewhere on the line.
For example, this file:
would yield no findings, but this one:
will.
This is due to the
jwt
being set in theKeywords
in the jwt matcher - https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go#L591Desired Behavior
JWT token is detected regardless of other context.
Actual Behavior
JWT token is detected only if
jwt
is present on the lineReproduction Steps
Target
Filesystem
Scanner
Secret
Output Format
None
Mode
None
Debug Output
Operating System
macOS
Version
Checklist
trivy image --reset
The text was updated successfully, but these errors were encountered: