how to ignore a false positive secret detection in configmap

[pfrydids]

IDs

avd-ksv-0109

Description

trivy k8s --ignore-unfixed --scanners vuln,misconfig,rbac ConfigMap/my-config-map -n mynamespace

results in

HIGH: ConfigMap 'my-config-map in mynamespace' namespace stores secrets in key(s) or value(s) '{"#               is flagged as requiring no password"}'
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Storing secrets in configMaps is unsafe

See https://avd.aquasec.com/misconfig/avd-ksv-0109
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Notice the the password text is part of a comment.

I can accept that it is hard to avoid this type of detection but is there a way to ignore a configmap or a particular detection?

The list of scanners provided didn't include secrets so I was hoping it would not attempt secret scanning.

Reproduction Steps

Deploy a configmap with a comment that mentions 'password' and then scan

Target

Kubernetes

Scanner

Secret

Target OS

No response

Debug Output

Pretty much identical to what I mentioned above.

Version

Version: 0.49.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-02-19 06:10:54.596145068 +0000 UTC
  NextUpdate: 2024-02-19 12:10:54.596144688 +0000 UTC
  DownloadedAt: 2024-02-19 12:05:50.588114399 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-02-18 00:44:32.669835578 +0000 UTC
  NextUpdate: 2024-02-21 00:44:32.669835368 +0000 UTC
  DownloadedAt: 2024-02-19 12:18:15.588839564 +0000 UTC
Policy Bundle:
  Digest: sha256:73a2a1a91c421860d22f08b990a0ca28fee4ca1e1b45e0bdea14357867e31eb6
  DownloadedAt: 2024-02-19 12:05:51.162380444 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[chen-keinan]

@pfrydids have you tried using .trivyignore

[eamh0001]

Hi @chen-keinan! I don't think that's a meaningful answer, with that you are disabling the whole rule which defeats the purpose of SAST. Imagine disabling a rule every time you get a false positive, you could end up with a scanner with no rules! Instead you should be able to univocally mark that as a false positive (ideally without annotating the code as it would pollute it) or fine tune the rule (e.g., increasing the entropy if searching for secrets or whitelisting values). Would any of that possible be possible to do for this case?
Edit: If this rule is triggered only just for matching password I think that that is not a relevant rule and should be assessed to removed from trivy

[eamh0001]

I found out that the trivyignore.yaml format can let you also mark false positives in a more granular fashion. Maybe that can also help you @pfrydids, but be cautious that it is in experimental mode.