-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(secret): add built-in rule for JWT tokens #5480
Conversation
Currently the secret scanning does not detect JWT tokens, which are used for example by Artifactory as Authentication mechanism. For example, if a user builds an OCI image and installs dependencies from a private Artifactory repository during build-time and has passed those credentials in an insecure manner to the builder (for example using ARG statements), trivy needs to detect this leak.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution! Can we add severity? I think it's "LOW" or "MEDIUM". What do you think?
I personally would classify it as MEDIUM as we already had some leaks in our org because of trivy not detecting the secret. |
@very-doge-wow OK, it sounds reasonable. Can you please add |
Can't add any labels |
I mean the source code. |
like trivy/pkg/fanal/secret/builtin-rules.go Line 97 in d0d3315
|
Sorry, didn't get that 😄 |
As it's written here, JWT can be used for various purposes.
In this case, leaking the JWT is no big deal. It's not always a critical issue. |
That's true, but it can be a critical issue. For me personally, I think it's worse to not classify something as critical that actually is a critical issue than it is to classify a non-critical issue as critical. But ultimately, that's up to you I guess |
It's not easy to evaluate the severity. We can change it if many people think it should be a critical issue. |
Description
Currently the secret scanning does not detect JWT tokens, which are used for example by Artifactory as Authentication mechanism.
For example, if a user builds an OCI image and installs dependencies from a private Artifactory repository during build-time and has passed those credentials in an insecure manner to the builder (for example using ARG statements), trivy needs to detect this leak.
The regex I added to the built-in rules is the same as used by gitleaks to detect JWT tokens:
https://github.com/gitleaks/gitleaks/blob/master/cmd/generate/config/rules/jwt.go
Related issues
Checklist