Custom secrets not detected in repo #6454

ethoms-usgs · 2024-04-03T22:23:23Z

ethoms-usgs
Apr 3, 2024

Question

Started with Gitleaks and was able to get it to detect some fake secrets in a repository containing only two files, fake_secrets.txt and requirements.txt, using a custom configuration file. After migrating the rules over to YAML for Trivy, nothing is detected.

I run trivy repo "path/to/repo' -c "path/to/trivy-secret.yaml and get

2024-04-03T14:01:02.991-0800    INFO    Loaded path/to/repo
2024-04-03T14:01:02.997-0800    INFO    Vulnerability scanning is enabled
2024-04-03T14:01:02.997-0800    INFO    Secret scanning is enabled
2024-04-03T14:01:03.000-0800    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-04-03T14:01:03.000-0800    INFO    Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection
2024-04-03T14:01:03.001-0800    INFO    Loading trivy-secret.yaml for secret scanning...
2024-04-03T14:01:03.011-0800    INFO    Number of language-specific files: 1
2024-04-03T14:01:03.011-0800    INFO    Detecting pip vulnerabilities...

and then no reports of secrets.

It took a bit of fiddling with a YAML linter to get the regexes properly formatted, but they differ from what was working with Gitleaks by only some escape characters and only three of the seven rules needed editing anyway.

I have tried disabling the examples allow-rule and scanning the repo as a file system.

Target

Git Repository

Scanner

Secret

Output Format

Table

Mode

Standalone

Operating System

Windows 10

Version

Version: 0.50.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-04-03 18:12:10.546555408 +0000 UTC
  NextUpdate: 2024-04-04 00:12:10.546554706 +0000 UTC
  DownloadedAt: 2024-04-03 21:45:48.6022329 +0000 UTC
Policy Bundle:
  Digest: sha256:cdff1bc8c97e4f5cd04782b057c00f5ea8cd81147a506ac4be76bef13710f2d3
  DownloadedAt: 2024-03-05 21:48:23.0160194 +0000 UTC

Answered by DmitriyLewen

Apr 16, 2024

Hello @ethoms-usgs

I checked your config file.
there are some points:

\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$: To use ^ and $ as symbols of begin and end of line you need to use multi-line mode -(?m).- see https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#configuration
'''"?[a-zA-Z]:[^/]\\?\\?(?:[^\\/:*?"<>|\r\n]+?\\?\\)*[^\\/:*?"<>|\r\n]*"?''': remove extra quotes.
severity: low: severity should be in upper case ( i created #6500 to fix this).

example:

➜ cat trivy-secret.yaml 
rules:
  - id: paths
    category: security_review
    title: find absolute windows paths
    severity: LOW
    regex: '"?[a-zA-Z]:[^/]\\?\\?(?:[^\\/:*?"<>|\r\n]+?\\?\\)*[^\\/:*?"<>|\r\n]*"?'
  - id: ip…

View full answer

AnaisUrlichs · 2024-04-08T13:28:21Z

AnaisUrlichs
Apr 8, 2024

Hi there, what content is in the file? e.g. trivy-secret.yaml? Trivy will look for particular keywords/patterns that suggest there is a secret in the file, it does not understand the naming of the files itself

Here is the entire docs on secret scanning https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/

6 replies

AnaisUrlichs Apr 15, 2024

So the only issue I can see why it is not being used is that for secret scanning focused rules, you have to use the following flag --secret-config and then the path to your files with the regex rules -- instead of --config. However, I cannot get the example to work either. I am also wondering if there is a difference between trivy fs and trivy repo as the information is currently missing in the docs cc @knqyf263. I assume the secret scanning works the same way for all Trivy subcommands.

knqyf263 Apr 15, 2024
Maintainer

Looks like the config file is loaded properly.
@DmitriyLewen Can you ptal?

AnaisUrlichs Apr 15, 2024

I tried different examples, not sure if my regex was wrong each time but I could not get Trivy to find any of the values in the above secrets file content

DmitriyLewen Apr 16, 2024
Maintainer

Hello @ethoms-usgs

I checked your config file.
there are some points:

\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$: To use ^ and $ as symbols of begin and end of line you need to use multi-line mode -(?m).- see https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#configuration
'''"?[a-zA-Z]:[^/]\\?\\?(?:[^\\/:*?"<>|\r\n]+?\\?\\)*[^\\/:*?"<>|\r\n]*"?''': remove extra quotes.
severity: low: severity should be in upper case ( i created fix(secret): convert severity for custom rules #6500 to fix this).

example:

➜ cat trivy-secret.yaml 
rules:
  - id: paths
    category: security_review
    title: find absolute windows paths
    severity: LOW
    regex: '"?[a-zA-Z]:[^/]\\?\\?(?:[^\\/:*?"<>|\r\n]+?\\?\\)*[^\\/:*?"<>|\r\n]*"?'
  - id: ip address
    category: security_review
    title: find numerical ip addresses
    severity: LOW
    regex: '(?m)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$'
  - id: email warning
    category: security_review
    title: find email addresses
    severity: LOW
    regex: '(?m)[a-z0-9._%+\-]+@[a-z0-9.\-]+\.[a-z]{2,4}$'
  - id: AGOL warning
    category: security_review
    title: AGOL login warning
    severity: LOW
    regex: 'GIS\((.*?)\)'
    keywords:
      - url
      - username
      - password
      - key_file
      - cert_file
      - verify_cert
  - id: Internal USGS server name
    description: Find internal USGS server name
    category: security_review
    regex: '[A-Za-z0-9]+\.[A-Za-z0-9]+\.[A-Za-z0-9]+\.[A-Za-z0-9]+'
    severity: LOW
  - id: ScienceBase login warning
    description: ScienceBase login warning
    category: security_review
    regex: '(import sciencebasepy|sciencebasepy.SbSession\(\)|\.login\((.*?)\))'
    keywords:
      - username
      - password
    severity: LOW

➜ trivy -d fs --scanners secret ./secret.txt
...
/secret.txt (secrets)

Total: 11 (UNKNOWN: 0, LOW: 11, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

LOW: security_review (AGOL warning)
════════════════════════════════════════════════════════════════════════════════
AGOL login warning
────────────────────────────────────────────────────────────────────────────────
 /secret.txt:6
────────────────────────────────────────────────────────────────────────────────
   4   ***************
   5   from arcgis.gis import GIS
   6 [ *********************************************************
   7   ***************
────────────────────────────────────────────────────────────────────────────────


LOW: security_review (Internal USGS server name)
════════════════════════════════════════════════════════════════════════════════

────────────────────────────────────────────────────────────────────────────────
 /secret.txt:7
────────────────────────────────────────────────────────────────────────────────
   5   from arcgis.gis import GIS
   6   *********************************************************
   7 [ ***************
   8   *****************************
────────────────────────────────────────────────────────────────────────────────


LOW: security_review (Internal USGS server name)
════════════════════════════════════════════════════════════════════════════════

────────────────────────────────────────────────────────────────────────────────
 /secret.txt:8
────────────────────────────────────────────────────────────────────────────────
   6   *********************************************************
   7   ***************
   8 [ *****************************
   9   ********************
────────────────────────────────────────────────────────────────────────────────


LOW: security_review (ScienceBase login warning)
════════════════════════════════════════════════════════════════════════════════

────────────────────────────────────────────────────────────────────────────────
 /secret.txt:9
────────────────────────────────────────────────────────────────────────────────
   7   ***************
   8   *****************************
   9 [ ********************
  10   *************************
────────────────────────────────────────────────────────────────────────────────


LOW: security_review (ScienceBase login warning)
════════════════════════════════════════════════════════════════════════════════

────────────────────────────────────────────────────────────────────────────────
 /secret.txt:10
────────────────────────────────────────────────────────────────────────────────
   8   *****************************
   9   ********************
  10 [ *************************
  11   sb************
────────────────────────────────────────────────────────────────────────────────


LOW: security_review (ScienceBase login warning)
════════════════════════════════════════════════════════════════════════════════

────────────────────────────────────────────────────────────────────────────────
 /secret.txt:11
────────────────────────────────────────────────────────────────────────────────
   9   ********************
  10   *************************
  11 [ sb************
────────────────────────────────────────────────────────────────────────────────


LOW: security_review (email warning)
════════════════════════════════════════════════════════════════════════════════
find email addresses
────────────────────────────────────────────────────────────────────────────────
 /secret.txt:3
────────────────────────────────────────────────────────────────────────────────
   1   *************
   2   *****************
   3 [ ****************
   4   ***************
────────────────────────────────────────────────────────────────────────────────


LOW: security_review (email warning)
════════════════════════════════════════════════════════════════════════════════
find email addresses
────────────────────────────────────────────────────────────────────────────────
 /secret.txt:4
────────────────────────────────────────────────────────────────────────────────
   2   *****************
   3   ****************
   4 [ ***************
   5   from arcgis.gis import GIS
────────────────────────────────────────────────────────────────────────────────


LOW: security_review (ip address)
════════════════════════════════════════════════════════════════════════════════
find numerical ip addresses
────────────────────────────────────────────────────────────────────────────────
 /secret.txt:7
────────────────────────────────────────────────────────────────────────────────
   5   from arcgis.gis import GIS
   6   *********************************************************
   7 [ ***************
   8   *****************************
────────────────────────────────────────────────────────────────────────────────


LOW: security_review (paths)
════════════════════════════════════════════════════════════════════════════════
find absolute windows paths
────────────────────────────────────────────────────────────────────────────────
 /secret.txt:1
────────────────────────────────────────────────────────────────────────────────
   1 [ *************
   2   *****************
────────────────────────────────────────────────────────────────────────────────


LOW: security_review (paths)
════════════════════════════════════════════════════════════════════════════════
find absolute windows paths
────────────────────────────────────────────────────────────────────────────────
 /secret.txt:2
────────────────────────────────────────────────────────────────────────────────
   1   *************
   2 [ *****************
   3   ****************
────────────────────────────────────────────────────────────────────────────────

Answer selected by DmitriyLewen

ethoms-usgs Apr 16, 2024
Author

Thanks so much Anais, Dmitriy!
I used the secret-config switch and the edited rules and everything works as expected.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Custom secrets not detected in repo #6454

{{title}}

Replies: 1 comment 6 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Custom secrets not detected in repo #6454

ethoms-usgs Apr 3, 2024

Question

Target

Scanner

Output Format

Mode

Operating System

Version

Replies: 1 comment · 6 replies

AnaisUrlichs Apr 8, 2024

AnaisUrlichs Apr 15, 2024

knqyf263 Apr 15, 2024 Maintainer

AnaisUrlichs Apr 15, 2024

DmitriyLewen Apr 16, 2024 Maintainer

ethoms-usgs Apr 16, 2024 Author

ethoms-usgs
Apr 3, 2024

Replies: 1 comment 6 replies

AnaisUrlichs
Apr 8, 2024

knqyf263 Apr 15, 2024
Maintainer

DmitriyLewen Apr 16, 2024
Maintainer

ethoms-usgs Apr 16, 2024
Author