Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(secret): skip regular strings contain secret patterns #7182

Merged
merged 14 commits into from
Jul 25, 2024
Merged

fix(secret): skip regular strings contain secret patterns #7182

merged 14 commits into from
Jul 25, 2024

Conversation

afdesk
Copy link
Contributor

@afdesk afdesk commented Jul 17, 2024
edited
Loading

Description

Trivy shouldn't detect some strings containing letters before secret.
This PR excludes 0-9a-zA-Z for the next rules:

  • AWS Access Key ID (DISPID_ICANVASRENDERINGCONTEXT2D_CANVAS)
  • GitHub Personal Access Token (ghp_)
  • GitHub OAuth Access Token (gho_)
  • GitHub App Token (ghu_/ghs_)
  • GitHub Refresh Token (ghr_)
  • Hugging Face Access Token (hf_)
  • Slack token (xoxb-/xoxa-/xoxp-/xoxr-/xoxs-)
  • Stripe Publishable Key (pk_test_ / pk_live_)
  • Stripe Secret Key(sk_test_ / sk_live_)
  • Flutterwave public/secret key (FLWSECK_TEST-/FLWPUBK_TEST-)
  • Flutterwave encrypted key (FLWSECK_TEST)

There is no need to skip secrets for the most cases, because such strings still contain sensitive data or have long alphanumeric sequence:

MyAWS_secret_KEY="12ASD34qwe56CXZ78tyH10Tna543VBokN85RHCas"

EasyPost API token was skipped, because this one should have quotes before and after a token.

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@afdesk afdesk marked this pull request as ready for review July 19, 2024 11:29
@afdesk afdesk marked this pull request as draft July 21, 2024 09:42
@afdesk afdesk marked this pull request as ready for review July 21, 2024 10:07
@afdesk
Copy link
Contributor Author

afdesk commented Jul 21, 2024

tests finally completed, so i think this PR is ready for review.

@knqyf263 @DmitriyLewen could you take a look when you have time? thanks

DmitriyLewen
DmitriyLewen reviewed Jul 22, 2024
View reviewed changes
pkg/fanal/secret/builtin-rules.go Outdated Show resolved Hide resolved
pkg/fanal/secret/builtin-rules.go Outdated Show resolved Hide resolved
pkg/fanal/secret/builtin-rules.go Outdated Show resolved Hide resolved
pkg/fanal/secret/builtin-rules.go Outdated Show resolved Hide resolved
pkg/fanal/secret/builtin-rules.go Outdated Show resolved Hide resolved
@afdesk
Copy link
Contributor Author

afdesk commented Jul 22, 2024

@DmitriyLewen
wdyt about Twilio API Key?

is it possible to create a correct variable name only with A-F letters?

trivy/pkg/fanal/secret/builtin-rules.go

Lines 245 to 252 in 9269563

{
ID: "twilio-api-key",
Category: CategoryTwilio,
Title: "Twilio API Key",
Severity: "MEDIUM",
Regex: MustCompile(`SK[0-9a-fA-F]{32}`),
Keywords: []string{"SK"},
},

@afdesk afdesk requested a review from DmitriyLewen July 22, 2024 11:39
@DmitriyLewen
Copy link
Contributor

I think we can add prefix for github-fine-grained-pat and gitlab-pat.

wdyt about Twilio API Key?
is it possible to create a correct variable name only with A-F letters?

I don't understand you. Unexpected prefix can use any characters.

@afdesk
Copy link
Contributor Author

afdesk commented Jul 22, 2024

gitlab-pat

gitlab-pat is added now, Twilio API Key and github-fine-grained-pat are skipped.

@DmitriyLewen
Copy link
Contributor

Twilio API Key and github-fine-grained-pat are skipped.

We talked offline with @afdesk and decided that the likelihood of accidentally obtaining these secrets is extremely low and there is no need to add prefix check for them.

DmitriyLewen
DmitriyLewen approved these changes Jul 23, 2024
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@knqyf263 knqyf263 added this pull request to the merge queue Jul 25, 2024
Merged via the queue into aquasecurity:main with commit 174b1e3 Jul 25, 2024
12 checks passed
@aqua-bot aqua-bot mentioned this pull request Jul 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fix(secret): add prefix to exclude 0-9a-zA-Z before secret
3 participants
@afdesk @DmitriyLewen @knqyf263