Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documented default for --security-checks is incorrect #2104

Closed
thiago-gitlab opened this issue May 12, 2022 · 4 comments · Fixed by #2107
Closed

Documented default for --security-checks is incorrect #2104

thiago-gitlab opened this issue May 12, 2022 · 4 comments · Fixed by #2107
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@thiago-gitlab
Copy link
Contributor

Description

https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/image/ states:

--security-checks value comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]

However, #2054 (comment) states:

In version 0.27.0 we added a secret scan. Secret scan is currently enabled by default.

What did you expect to happen?

One of:

  1. The documented default for --security-checks to be vuln,secret; OR
  2. The default for --security-checks to actually be vuln.

What happened instead?

A mismatch between the documented default and the actual default .

Output of run with -debug:

(paste your output here)

Output of trivy -v:

(paste your output here)

Additional details (base image name, container registry info...):
@thiago-gitlab thiago-gitlab added the kind/bug Categorizes issue or PR as related to a bug. label May 12, 2022
@thiago-gitlab
Copy link
Contributor Author

Hi, @knqyf263. 👋🏽

I was looking to disable secret detection in the GitLab integration with Trivy due to it causing timeouts. When I checked the documentation, it seems that it should be disabled by default.

But someone commented in a thread that it's enabled by default.

If the documentation is incorrect, I'd be happy to send a quick PR. If the default is incorrect, I'm afraid that's beyond my abilities :-)

@knqyf263
Copy link
Collaborator

Hi @thiago-gitlab, thanks for raising an issue. The documentation is incorrect. It would be appreciated if you fix it.

As for timeout, yes, it can be slow if there are many files or large files. It is ok to disable secret scanning if you don't need it, but you can also tune the configuration.
https://aquasecurity.github.io/trivy/v0.27.1/docs/secret/scanning/#recommendation

@thiago-gitlab thiago-gitlab mentioned this issue May 12, 2022
Merged
7 tasks
@thiago-gitlab
Copy link
Contributor Author

Done!

Thanks for the recommendation and quick reply.

We'll look into it after the tea sees how it plays with the existing secret scanner or else it may cause duplicate vulnerabilities to be reported.

@knqyf263
Copy link
Collaborator

Done!

Thanks for the quick fix!

We'll look into it after the tea sees how it plays with the existing secret scanner or else it may cause duplicate vulnerabilities to be reported.

It was just FYI. It is up to you👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

docs(secret): Fix default value of --security-checks in docs thiago-gitlab/trivy
2 participants
@knqyf263 @thiago-gitlab