Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

image secret scanning does not adhere to global allow rules from secrets config file #4100

Closed
straun opened this issue Apr 20, 2023 · 1 comment
Closed

image secret scanning does not adhere to global allow rules from secrets config file #4100

straun opened this issue Apr 20, 2023 · 1 comment
Assignees
@DmitriyLewen
Labels
scan/secret Issues relating to secret scanning triage/support Indicates an issue that is a support question.

Comments

@straun
Copy link

straun commented Apr 20, 2023

Description

The scan matching of fs vs image secret scanning is different. fs correctly allows paths to be ignored, image fails to use the same allow rules.

What did you expect to happen?

I expected the results of scanning a filesystem for secrets to be the same as scanning an image layer for secrets.

What happened instead?

The image scan fails to adhere to the allow rules.

Output of run with --debug:

With the filesystem:

tests:
fixtures      <snip>

tests/fixtures:
key.pem  <snip>

Where the key.pem file is a secret generated with openssl genrsa -des3 -passout pass:x -out key.pem 2048.

And the secrets config file:

allow-rules:
  - description: skip test key
    path: .*/key\.pem

When I run the version fs locally:

trivy --debug  fs -f json  --security-checks secret --secret-config ./tests/fixtures/secrets-ignorefile.yaml tests
2023-04-20T14:20:03.641Z        WARN    '--security-checks' is deprecated. Use '--scanners' instead.
2023-04-20T14:20:03.646Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-04-20T14:20:03.686Z        DEBUG   cache dir:  /root/.cache/trivy
2023-04-20T14:20:03.687Z        INFO    Secret scanning is enabled
2023-04-20T14:20:03.687Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-04-20T14:20:03.688Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.40/docs/secret/scanning/#recommendation for faster secret detection
2023-04-20T14:20:03.688Z        INFO    Loading ./tests/fixtures/secrets-ignorefile.yaml for secret scanning...
2023-04-20T14:20:03.689Z        DEBUG   Walk the file tree rooted at 'tests' in parallel
2023-04-20T14:20:03.701Z        DEBUG   OS is not detected.
{
  "SchemaVersion": 2,
  "ArtifactName": "tests",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  }
}

But when I build a docker image using this Dockerfile:

FROM alpine:latest
RUN apk add openssl
RUN openssl genrsa -des3 -passout pass:x -out key.pem 2048

This creates an image (example:local) with the /key.pem file that triggers as a secret.

When I run the image scan using the same ignores file:

trivy --debug  image -f json  --security-checks secret --secret-config ./tests/fixtures/secrets-ignorefile.yaml   "example:local"
2023-04-20T14:20:31.785Z        WARN    '--security-checks' is deprecated. Use '--scanners' instead.
2023-04-20T14:20:31.789Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-04-20T14:20:31.837Z        DEBUG   cache dir:  /root/.cache/trivy
2023-04-20T14:20:31.837Z        INFO    Container image config scanners: ["secret"]
2023-04-20T14:20:31.837Z        INFO    Secret scanning is enabled
2023-04-20T14:20:31.837Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-04-20T14:20:31.837Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.40/docs/secret/scanning/#recommendation for faster secret detection
2023-04-20T14:20:31.844Z        INFO    Loading ./tests/fixtures/secrets-ignorefile.yaml for secret scanning...
2023-04-20T14:20:31.844Z        DEBUG   Image ID: sha256:11139b7b31889549f9092d8718462e7616c4a8a6814c825a1924673152f8d67a
2023-04-20T14:20:31.844Z        DEBUG   Diff IDs: [sha256:f1417ff83b319fbdae6dd9cd6d8c9c88002dcd75ecf6ec201c8c6894681cf2b5 sha256:daaec6c27ad1d939e8eb5ec9ec9540218135887f53632fc09ff1d90af40f9d5f sha256:85a5640f9c9ae633dfb64bd5d4e52e0e344e0249281001d288b5d211595429e8]
2023-04-20T14:20:31.844Z        DEBUG   Base Layers: [sha256:f1417ff83b319fbdae6dd9cd6d8c9c88002dcd75ecf6ec201c8c6894681cf2b5]
2023-04-20T14:20:31.846Z        DEBUG   Secret file: /key.pem
{
  "SchemaVersion": 2,
  "ArtifactName": "example:local",
  "ArtifactType": "container_image",
  "Metadata": {
    "OS": {
      "Family": "alpine",
      "Name": "3.17.3"
    },
    "ImageID": "sha256:11139b7b31889549f9092d8718462e7616c4a8a6814c825a1924673152f8d67a",
    "DiffIDs": [
      "sha256:f1417ff83b319fbdae6dd9cd6d8c9c88002dcd75ecf6ec201c8c6894681cf2b5",
      "sha256:daaec6c27ad1d939e8eb5ec9ec9540218135887f53632fc09ff1d90af40f9d5f",
      "sha256:85a5640f9c9ae633dfb64bd5d4e52e0e344e0249281001d288b5d211595429e8"
    ],
    "RepoTags": [
      "example:local"
    ],
    "ImageConfig": {
      "architecture": "amd64",
      "container": "3af1d23336604d5a27d80b083a8623aa9578f7850ede42ab8d2d78fe69e96eba",
      "created": "2023-04-20T11:17:31.449541672Z",
      "docker_version": "20.10.21",
      "history": [
        {
          "created": "2023-03-29T18:19:24Z",
          "created_by": "/bin/sh -c #(nop) ADD file:9a4f77dfaba7fd2aa78186e4ef0e7486ad55101cefc1fabbc1b385601bb38920 in / "
        },
        {
          "created": "2023-03-29T18:19:24Z",
          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
          "empty_layer": true
        },
        {
          "created": "2023-04-20T10:54:36Z",
          "created_by": "/bin/sh -c apk add openssl"
        },
        {
          "created": "2023-04-20T11:17:31Z",
          "created_by": "/bin/sh -c openssl genrsa -des3 -passout pass:x -out key.pem 2048"
        }
      ],
      "os": "linux",
      "rootfs": {
        "type": "layers",
        "diff_ids": [
          "sha256:f1417ff83b319fbdae6dd9cd6d8c9c88002dcd75ecf6ec201c8c6894681cf2b5",
          "sha256:daaec6c27ad1d939e8eb5ec9ec9540218135887f53632fc09ff1d90af40f9d5f",
          "sha256:85a5640f9c9ae633dfb64bd5d4e52e0e344e0249281001d288b5d211595429e8"
        ]
      },
      "config": {
        "Cmd": [
          "/bin/sh"
        ],
        "Env": [
          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
        ],
        "Image": "sha256:38cfc27132d9759415c8e41586b564ce0c86dede3eab11c5131dbde2585008fc"
      }
    }
  },
  "Results": [
    {
      "Target": "/key.pem",
      "Class": "secret",
      "Secrets": [
        {
          "RuleID": "private-key",
          "Category": "AsymmetricPrivateKey",
          "Severity": "HIGH",
          "Title": "Asymmetric Private Key",
          "StartLine": 1,
          "EndLine": 1,
          "Code": {
            "Lines": [
              {
                "Number": 1,
                "Content": "-----BEGIN ENCRYPTED PRIVATE KEY-----*****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END ENCRYPTED PRIVATE KEY-----",
                "IsCause": true,
                "Annotation": "",
                "Truncated": false,
                "Highlighted": "-----BEGIN ENCRYPTED PRIVATE KEY-----*****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END ENCRYPTED PRIVATE KEY-----",
                "FirstCause": true,
                "LastCause": true
              },
              {
                "Number": 2,
                "Content": "",
                "IsCause": false,
                "Annotation": "",
                "Truncated": false,
                "FirstCause": false,
                "LastCause": false
              }
            ]
          },
          "Match": "GIN ENCRYPTED PRIVATE KEY-----*****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END ENCRYPTED P",
          "Layer": {
            "DiffID": "sha256:85a5640f9c9ae633dfb64bd5d4e52e0e344e0249281001d288b5d211595429e8",
            "CreatedBy": "openssl genrsa -des3 -passout pass:x -out key.pem 2048"
          }
        }
      ]
    }
  ]
}

The allow rules have not been applied.

Output of trivy -v:

Version: 0.40.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-04-20 12:07:40.789768334 +0000 UTC
  NextUpdate: 2023-04-20 18:07:40.789767934 +0000 UTC
  DownloadedAt: 2023-04-20 13:22:35.450119866 +0000 UTC

Additional details (base image name, container registry info...):

https://github.com/aquasecurity/trivy/blob/main/pkg/scanner/local/scan.go#L163
This appears to be normalised after the allow rules have been used.
@straun straun added the kind/bug Categorizes issue or PR as related to a bug. label Apr 20, 2023
@DmitriyLewen DmitriyLewen added triage/support Indicates an issue that is a support question. scan/secret Issues relating to secret scanning and removed kind/bug Categorizes issue or PR as related to a bug. labels Apr 24, 2023
@DmitriyLewen
Copy link
Collaborator

DmitriyLewen commented Apr 24, 2023
edited

Hello @straun
Thanks for your report!

Problem in your regex -https://regex101.com/r/vGO4Up/1

For image you created key.pem file in /.
In this case path for file is key.pem and regex doesn't match this.

You need to move key.pem to a folder (for image) or change regex to .*key\.pem.

Feel free to reopen this issue, if you still have problem.

Best Regards, Dmitriy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
scan/secret Issues relating to secret scanning triage/support Indicates an issue that is a support question.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@straun @DmitriyLewen