Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(image): pass the secret scanner option to scan the img config #4735

Merged
merged 1 commit into from
Jun 29, 2023
Merged

fix(image): pass the secret scanner option to scan the img config #4735

merged 1 commit into from
Jun 29, 2023

Conversation

nikpivkin
Copy link
Contributor

@nikpivkin nikpivkin commented Jun 29, 2023
edited
Loading

Description

Options for scanning secrets (which include the path to the custom config) are not passed to the image config scanner

See #4648 (comment)

Before

2023-06-29T12:37:39.432+0600    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-06-29T12:37:39.449+0600    DEBUG   cache dir:  /Users/tososomaru/Library/Caches/trivy
2023-06-29T12:37:39.449+0600    DEBUG   Module dir: /Users/tososomaru/.trivy/modules
2023-06-29T12:37:39.449+0600    INFO    Container image config scanners: ["secret"]
2023-06-29T12:37:39.449+0600    INFO    Secret scanning is enabled
2023-06-29T12:37:39.449+0600    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-06-29T12:37:39.449+0600    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-06-29T12:37:39.462+0600    INFO    Loading /Users/tososomaru/projects/trivy-test/img-metadata/trivy-secret.yaml for secret scanning...
2023-06-29T12:37:39.462+0600    DEBUG   Image ID: sha256:56a6b46d5c216b5a0f1725f5013b76a66b7b6b6f660fc179089f74f993a43ab7
2023-06-29T12:37:39.462+0600    DEBUG   Diff IDs: [sha256:f91a1976f6115aa19b74c47d9c09c7d22f0f6118fb19b71283f8ae898649ea09]
2023-06-29T12:37:39.462+0600    DEBUG   Base Layers: []
2023-06-29T12:37:39.463+0600    DEBUG   Missing image ID in cache: sha256:56a6b46d5c216b5a0f1725f5013b76a66b7b6b6f660fc179089f74f993a43ab7
2023-06-29T12:37:39.463+0600    DEBUG   Missing diff ID in cache: sha256:f91a1976f6115aa19b74c47d9c09c7d22f0f6118fb19b71283f8ae898649ea09
2023-06-29T12:37:39.479+0600    DEBUG   No secrets found in container image config
2023-06-29T12:37:39.487+0600    DEBUG   OS is not detected.

After

2023-06-29T12:37:57.668+0600    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-06-29T12:37:57.704+0600    DEBUG   cache dir:  /Users/tososomaru/Library/Caches/trivy
2023-06-29T12:37:57.704+0600    DEBUG   Module dir: /Users/tososomaru/.trivy/modules
2023-06-29T12:37:57.704+0600    INFO    Container image config scanners: ["secret"]
2023-06-29T12:37:57.704+0600    INFO    Secret scanning is enabled
2023-06-29T12:37:57.704+0600    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-06-29T12:37:57.704+0600    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-06-29T12:37:57.717+0600    INFO    Loading /Users/tososomaru/projects/trivy-test/img-metadata/trivy-secret.yaml for secret scanning...
2023-06-29T12:37:57.718+0600    INFO    Loading /Users/tososomaru/projects/trivy-test/img-metadata/trivy-secret.yaml for secret scanning...
2023-06-29T12:37:57.718+0600    DEBUG   Image ID: sha256:56a6b46d5c216b5a0f1725f5013b76a66b7b6b6f660fc179089f74f993a43ab7
2023-06-29T12:37:57.718+0600    DEBUG   Diff IDs: [sha256:f91a1976f6115aa19b74c47d9c09c7d22f0f6118fb19b71283f8ae898649ea09]
2023-06-29T12:37:57.718+0600    DEBUG   Base Layers: []
2023-06-29T12:37:57.718+0600    DEBUG   Missing image ID in cache: sha256:56a6b46d5c216b5a0f1725f5013b76a66b7b6b6f660fc179089f74f993a43ab7
2023-06-29T12:37:57.718+0600    DEBUG   Missing diff ID in cache: sha256:f91a1976f6115aa19b74c47d9c09c7d22f0f6118fb19b71283f8ae898649ea09
2023-06-29T12:37:57.742+0600    DEBUG   OS is not detected.
2023-06-29T12:37:57.742+0600    DEBUG   Secret file: secret-laden-image:latest

secret-laden-image:latest (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: credentialedURI (credentialedURI)
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Username and password in URI
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 secret-laden-image:latest:7
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   5     {
   6     "created": "2023-06-29T04:08:22Z",
   7 [   "created_by": "ADD ***************************************************** . # buildkit",
   8     "comment": "buildkit.dockerfile.v0"
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@nikpivkin nikpivkin marked this pull request as ready for review June 29, 2023 07:32
@nikpivkin nikpivkin requested a review from knqyf263 as a code owner June 29, 2023 07:32
@knqyf263 knqyf263 added this pull request to the merge queue Jun 29, 2023
Merged via the queue into aquasecurity:main with commit 790c805 Jun 29, 2023
13 checks passed
@nikpivkin nikpivkin deleted the fix/img-config-secret branch July 20, 2023 16:06
AnaisUrlichs pushed a commit to AnaisUrlichs/trivy that referenced this pull request Aug 10, 2023
@nikpivkin @AnaisUrlichs
fix(image): pass the secret scanner option to scan the img config (aq…
2a86365 
…uasecurity#4735)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@nikpivkin @knqyf263