-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(secret): skip regular strings contain secret patterns #7182
Conversation
tests finally completed, so i think this PR is ready for review. @knqyf263 @DmitriyLewen could you take a look when you have time? thanks |
@DmitriyLewen is it possible to create a correct variable name only with A-F letters? trivy/pkg/fanal/secret/builtin-rules.go Lines 245 to 252 in 9269563
|
I think we can add prefix for
I don't understand you. Unexpected prefix can use any characters. |
|
We talked offline with @afdesk and decided that the likelihood of accidentally obtaining these secrets is extremely low and there is no need to add prefix check for them. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Description
Trivy shouldn't detect some strings containing letters before secret.
This PR excludes
0-9a-zA-Z
for the next rules:DISPID_ICANVASRENDERINGCONTEXT2D_CANVAS
)ghp_
)gho_
)ghu_/ghs_
)ghr_
)hf_
)xoxb-/xoxa-/xoxp-/xoxr-/xoxs-
)pk_test_ / pk_live_
)sk_test_ / sk_live_
)FLWSECK_TEST-/FLWPUBK_TEST-
)FLWSECK_TEST
)There is no need to skip secrets for the most cases, because such strings still contain sensitive data or have long alphanumeric sequence:
EasyPost API token
was skipped, because this one should have quotes before and after a token.Related issues
0-9a-zA-Z
before secret #7176Checklist