False Positives In Secret Detection

[behara]

False Positive In Secret Scanning

When we scan an image with trivy we see false positives in secret scanning detection

What did you expect to happen?

When i use docker file

FROM alpine:3.16.3
COPY vendor.0dccb716b100d1dd.js.map /

This image shouldn't have false positives.

BTW attached zip file of vendor.0dccb716b100d1dd.js.map vendorFile.zip. Or else you can scan image automation.azurecr.io/secret:fp from docker hub.

What happened instead?

3 secrets got detected but all are false positives

trivy/pkg/fanal/secret/builtin-rules.go

Line 771 in 4b36e97

Title: "LinkedIn Client ID",

trivy/pkg/fanal/secret/builtin-rules.go

Line 762 in 4b36e97

Title: "LinkedIn Client secret",

trivy/pkg/fanal/secret/builtin-rules.go

Line 420 in 4b36e97

Title: "Dropbox API secret/key",

Also the match content is huge

Output of run with -debug:

Please check it content is huge

Output of trivy -v:

Version: dev
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-04-14 06:09:41.908036711 +0000 UTC
  NextUpdate: 2023-04-14 12:09:41.908036411 +0000 UTC
  DownloadedAt: 2023-04-14 09:56:28.600213492 +0000 UTC

[afdesk]

@behara
it seems 0dccb716b100d1dd looks like ID )
UPD no, my first thought was wrong. this large file contains some characters match the build-in rules.

you can disable these rules for your cases.
https://aquasecurity.github.io/trivy/v0.39/docs/secret/configuration/#disable-rules

[afdesk]

i managed to find the first problem place:

[afdesk]

the second place:

the third place: