Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(secret): add secret config file for cache calculation #4837

Merged
merged 6 commits into from
Jul 23, 2023
Merged

feat(secret): add secret config file for cache calculation #4837

merged 6 commits into from
Jul 23, 2023

Conversation

DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented Jul 18, 2023
edited
Loading

Description

Add secret config file for cache calculation.
It fixes bug with secret scan and cache (see #4796):
before:

➜ trivy image --scanners secret --secret-config trivy-config-secret.yaml quay.io/skupper/skupper-router@sha256:0d207c60a150cad4d7743def8c9fc3565724e8980c6d93c326ba26dde44c675e 
2023-07-18T15:09:32.821+0600    INFO    Secret scanning is enabled
2023-07-18T15:09:32.821+0600    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-07-18T15:09:32.821+0600    INFO    Please see also https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation for faster secret detection
2023-07-18T15:09:32.824+0600    INFO    Loading trivy-config-secret.yaml for secret scanning...
2023-07-18T15:09:32.825+0600    INFO    Loading trivy-config-secret.yaml for secret scanning...

/usr/share/proton/examples/c/ssl-certs/tclient-private-key.pem (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: AsymmetricPrivateKey (private-key)
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Asymmetric Private Key
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 /usr/share/proton/examples/c/ssl-certs/tclient-private-key.pem:1 (added by 'COPY dir:197d381bfcf8167e314592c950a7857')
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 [ -----BEGIN ENCRYPTED PRIVATE KEY-----***-----END ENCRYPTED PRIVATE KEY-----
   2   
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

➜ trivy image --scanners secret quay.io/skupper/skupper-router@sha256:0d207c60a150cad4d7743def8c9fc3565724e8980c6d93c326ba26dde44c675e 
2023-07-18T15:10:10.081+0600    INFO    Secret scanning is enabled
2023-07-18T15:10:10.081+0600    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-07-18T15:10:10.081+0600    INFO    Please see also https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation for faster secret detection

/usr/share/proton/examples/c/ssl-certs/tclient-private-key.pem (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: AsymmetricPrivateKey (private-key)
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Asymmetric Private Key
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 /usr/share/proton/examples/c/ssl-certs/tclient-private-key.pem:1 (added by 'COPY dir:197d381bfcf8167e314592c950a7857')
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 [ -----BEGIN ENCRYPTED PRIVATE KEY-----***-----END ENCRYPTED PRIVATE KEY-----
   2   
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

after:

➜ ./trivy image --scanners secret --secret-config trivy-config-secret.yaml quay.io/skupper/skupper-router@sha256:0d207c60a150cad4d7743def8c9fc3565724e8980c6d93c326ba26dde44c675e
2023-07-18T15:10:19.143+0600    INFO    Secret scanning is enabled
2023-07-18T15:10:19.143+0600    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-07-18T15:10:19.143+0600    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-07-18T15:10:19.143+0600    INFO    Loading trivy-config-secret.yaml for secret scanning...

/usr/share/proton/examples/c/ssl-certs/tclient-private-key.pem (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: AsymmetricPrivateKey (private-key)
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Asymmetric Private Key
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 /usr/share/proton/examples/c/ssl-certs/tclient-private-key.pem:1 (added in layer '15e3d325d68b')
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 [ -----BEGIN ENCRYPTED PRIVATE KEY-----***-----END ENCRYPTED PRIVATE KEY-----
   2   
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

➜ ./trivy image --scanners secret quay.io/skupper/skupper-router@sha256:0d207c60a150cad4d7743def8c9fc3565724e8980c6d93c326ba26dde44c675e 
2023-07-18T15:10:33.948+0600    INFO    Secret scanning is enabled
2023-07-18T15:10:33.948+0600    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-07-18T15:10:33.948+0600    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen DmitriyLewen self-assigned this Jul 18, 2023
@DmitriyLewen DmitriyLewen marked this pull request as ready for review July 18, 2023 11:45
@DmitriyLewen DmitriyLewen changed the title refactor(secret): parse secret configuration file when initializing scanner configuration (before analyze) feat(secret): add secret config file for cache calculation Jul 19, 2023
knqyf263
knqyf263 reviewed Jul 20, 2023
View reviewed changes
pkg/fanal/cache/key.go Outdated
@@ -50,7 +50,21 @@ func CalcKey(id string, analyzerVersions analyzer.Versions, hookVersions map[str
}
}

// TODO: add secret scanner option here
// Write secret config
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can use the existing logic for misconfiguration.
https://github.com/aquasecurity/trivy/blob/6534dec6704fb010f84b6add5db355a5ee81b0a8/pkg/fanal/cache/key.go#L39C1-L51C3

	// Write policy, data contents and secret config file
	paths := append(artifactOpt.MisconfScannerOption.PolicyPaths, artifactOpt.MisconfScannerOption.DataPaths...)

	// Check if the secret config exists.
	if _, err := os.Stat(artifactOpt.SecretScannerOption.ConfigPath); err == nil {
		paths = append(paths, artifactOpt.SecretScannerOption.ConfigPath)
	}
	for _, p := range paths {
		hash, err := hashContents(p)
		if err != nil {
			return "", err
		}

		if _, err := h.Write([]byte(hash)); err != nil {
			return "", xerrors.Errorf("sha256 write error: %w", err)
		}
	}

@knqyf263 knqyf263 added this pull request to the merge queue Jul 23, 2023
Merged via the queue into aquasecurity:main with commit 4aa9ea0 Jul 23, 2023
11 checks passed
@DmitriyLewen DmitriyLewen deleted the feat/secret-cache branch July 24, 2023 03:22
AnaisUrlichs pushed a commit to AnaisUrlichs/trivy that referenced this pull request Aug 10, 2023
@DmitriyLewen @AnaisUrlichs
feat(secret): add secret config file for cache calculation (aquasecur…
af087db 
…ity#4837)

* move parse secret config to initScannerConfig + add secret to cache key

* add calc cache test

* just read config file and add to cache

* refactor comments

* refactor
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees

@DmitriyLewen DmitriyLewen

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Need to calculate secret options for fanal cache key
2 participants
@DmitriyLewen @knqyf263