Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(secret): detect secrets removed or overwritten in upper layer #2611

Merged
merged 7 commits into from
Aug 15, 2022

Conversation

DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented Jul 28, 2022

Description

Secrets can be deleted or overwritten in the upper layer.
We still have to keep these secrets.

Which layer contains the secret file, you can see in the Layer field when using the json format:

...
    {
      "Target": "/usr/secret.txt",
      "Class": "secret",
      "Layer": "sha256:8193895fe615d0d77042b962ebfac2b6732bee03b0a8914650414730cb168e55",
      "Secrets": [
        {
          "RuleID": "aws-access-key-id",
          "Category": "AWS",
          "Severity": "CRITICAL",
          "Title": "AWS Access Key ID",
          "StartLine": 1,
          "EndLine": 1,
          "Code": {
            "Lines": [
              {
                "Number": 1,
                "Content": "AWS_ACCESS_KEY_ID=********************",
                "IsCause": true,
                "Annotation": "",
                "Truncated": false,
                "Highlighted": "AWS_ACCESS_KEY_ID=********************",
                "FirstCause": true,
                "LastCause": true
              },
            ]
          },
          "Match": "AWS_ACCESS_KEY_ID=********************"
        }
      ]
    },
    {
      "Target": "/usr/secret.txt",
      "Class": "secret",
      "Layer": "sha256:9b98752743e6bcc98cb1032601866d49c0b43f380eba23951eceddc39e9e748e",
      "Secrets": [
        {
          "RuleID": "github-pat",
          "Category": "GitHub",
          "Severity": "CRITICAL",
          "Title": "GitHub Personal Access Token",
          "StartLine": 1,
          "EndLine": 1,
          "Code": {
            "Lines": [
              {
                "Number": 1,
                "Content": "GITHUB_PAT=****************************************",
                "IsCause": true,
                "Annotation": "",
                "Truncated": false,
                "Highlighted": "GITHUB_PAT=****************************************",
                "FirstCause": true,
                "LastCause": true
              }
            ]
          },
          "Match": "GITHUB_PAT=****************************************"
        }
      ]
    }
  ]
}

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen DmitriyLewen requested a review from knqyf263 as a code owner July 28, 2022 06:48
@DmitriyLewen DmitriyLewen changed the title refactor(secrets): keep detected secrets removed or overwritten in upper layer refactor(secret): keep detected secrets removed or overwritten in upper layer Jul 28, 2022
@@ -53,6 +53,7 @@ type Result struct {
Target string `json:"Target"`
Class ResultClass `json:"Class,omitempty"`
Type string `json:"Type,omitempty"`
Layer string `json:"Layer,omitempty"` // Used only for secrets, as Trivy keeps secrets from all layers.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should have Layer here rather than in Result.

type SecretFinding struct {
RuleID string
Category SecretRuleCategory
Severity string
Title string
StartLine int
EndLine int
Code Code
Match string
}

If the finding is the same, the first introduced layer should be taken.

  • Layer 1
    • no secret found
  • Layer 2
    • secret.txt
      • GitHub PAT
  • Layer 3
    • secret.txt
      • GitHub PAT
      • AWS Access Key
  • Layer 4
    • remove secret.txt

The result would be as below.

{
  "Target": "secret.txt",
  "Secrets": [
    {
      "RuleID": "github-pat",
      ...
      "Layer": "Layer 2",
    },
    {
      "RuleID": "aws-access-key",
      ...
      "Layer": "Layer 3",
    }
  ]
}

We should not have github-pat in Layer 3.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that Layer actually consists of Digest and DiffID. The above example is for sake of simplicity.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@DmitriyLewen DmitriyLewen self-assigned this Aug 8, 2022
@knqyf263 knqyf263 changed the title refactor(secret): keep detected secrets removed or overwritten in upper layer feat(secret): detect secrets removed or overwritten in upper layer Aug 15, 2022
@knqyf263 knqyf263 merged commit a5d4f7f into main Aug 15, 2022
@knqyf263 knqyf263 deleted the secrets-from-all-layers branch August 15, 2022 17:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Keep detected secrets removed in upper layer
2 participants