docs: add info about multi-line mode for regexp from custom secret ru…

…les (#4159)
aquasecurity · May 24, 2023 · 919e8c9 · 919e8c9
1 parent 50fe43f
commit 919e8c9
Show file tree

Hide file tree

Showing 5 changed files with 68 additions and 0 deletions.
diff --git a/docs/docs/scanner/secret.md b/docs/docs/scanner/secret.md
@@ -95,6 +95,9 @@ Trivy tries to load `trivy-secret.yaml` in the current directory by default.
 If the file doesn't exist, only built-in rules are used.
 You can customize the config file path via the `--secret-config` flag.
 
+!!! warning
+    Trivy uses [Golang regexp package](https://pkg.go.dev/regexp/syntax#hdr-Syntax). To use `^` and `$` as simbols of begin and end of line use multi-line mode -`(?m)`.
+
 ### Custom Rules
 Trivy allows defining custom rules.
 

diff --git a/pkg/fanal/secret/scanner_test.go b/pkg/fanal/secret/scanner_test.go
@@ -527,6 +527,37 @@ func TestSecretScanner(t *testing.T) {
 			},
 		},
 	}
+	wantMultiLine := types.SecretFinding{
+		RuleID:    "multi-line-secret",
+		Category:  "general",
+		Title:     "Generic Rule",
+		Severity:  "HIGH",
+		StartLine: 2,
+		EndLine:   2,
+		Match:     "***************",
+		Code: types.Code{
+			Lines: []types.Line{
+				{
+					Number:      1,
+					Content:     "123",
+					Highlighted: "123",
+				},
+				{
+					Number:      2,
+					Content:     "***************",
+					Highlighted: "***************",
+					IsCause:     true,
+					FirstCause:  true,
+					LastCause:   true,
+				},
+				{
+					Number:      3,
+					Content:     "123",
+					Highlighted: "123",
+				},
+			},
+		},
+	}
 
 	tests := []struct {
 		name          string
@@ -751,6 +782,21 @@ func TestSecretScanner(t *testing.T) {
 				Findings: []types.SecretFinding{wantFindingAsymmSecretKey},
 			},
 		},
+		{
+			name:          "begin/end line symbols without multi-line mode",
+			configPath:    filepath.Join("testdata", "multi-line-off.yaml"),
+			inputFilePath: "testdata/multi-line.txt",
+			want:          types.Secret{},
+		},
+		{
+			name:          "begin/end line symbols with multi-line mode",
+			configPath:    filepath.Join("testdata", "multi-line-on.yaml"),
+			inputFilePath: "testdata/multi-line.txt",
+			want: types.Secret{
+				FilePath: "testdata/multi-line.txt",
+				Findings: []types.SecretFinding{wantMultiLine},
+			},
+		},
 	}
 
 	for _, tt := range tests {

diff --git a/pkg/fanal/secret/testdata/multi-line-off.yaml b/pkg/fanal/secret/testdata/multi-line-off.yaml
@@ -0,0 +1,8 @@
+rules:
+  - id: multi-line-sect
+    category: general
+    title: Generic Rule
+    severity: HIGH
+    regex: '^multi-line: \d+$'
+disable-allow-rules:
+  - tests
diff --git a/pkg/fanal/secret/testdata/multi-line-on.yaml b/pkg/fanal/secret/testdata/multi-line-on.yaml
@@ -0,0 +1,8 @@
+rules:
+  - id: multi-line-secret
+    category: general
+    title: Generic Rule
+    severity: HIGH
+    regex: '(?m)^multi-line: \d+$'
+disable-allow-rules:
+  - tests
diff --git a/pkg/fanal/secret/testdata/multi-line.txt b/pkg/fanal/secret/testdata/multi-line.txt
@@ -0,0 +1,3 @@
+123
+multi-line: 123
+123