feat: add secret scanning (#1901)

Co-authored-by: VaismanLior <97836016+VaismanLior@users.noreply.github.com> Co-authored-by: AMF <work@afdesk.com>
2025-12-21 23:00:42 -08:00 · 2022-04-22 17:08:18 +03:00
parent 0700586483
commit 5f047f97db
33 changed files with 1054 additions and 332 deletions
--- a/pkg/commands/artifact/run.go
+++ b/pkg/commands/artifact/run.go
@@ -11,6 +11,7 @@ import (

 	"github.com/aquasecurity/fanal/analyzer"
 	"github.com/aquasecurity/fanal/analyzer/config"
+	"github.com/aquasecurity/fanal/analyzer/secret"
 	"github.com/aquasecurity/fanal/artifact"
 	"github.com/aquasecurity/fanal/cache"
 	"github.com/aquasecurity/trivy-db/pkg/db"
@@ -41,9 +42,6 @@ type scannerConfig struct {

 	// Artifact options
 	ArtifactOption artifact.Option
-
-	// Misconfiguration scanning options
-	MisconfOption config.ScannerOption
 }

 // InitializeScanner defines the initialize function signature of scanner
@@ -189,11 +187,16 @@ func disabledAnalyzers(opt Option) []analyzer.Type {
 		analyzers = append(analyzers, analyzer.TypeApkCommand)
 	}

-	// Don't analyze programming language packages when not running in 'library' mode
+	// Do not analyze programming language packages when not running in 'library' mode
 	if !slices.Contains(opt.VulnType, types.VulnTypeLibrary) {
 		analyzers = append(analyzers, analyzer.TypeLanguages...)
 	}

+	// Do not perform secret scanning when it is not specified.
+	if !slices.Contains(opt.SecurityChecks, types.SecurityCheckSecret) {
+		analyzers = append(analyzers, analyzer.TypeSecret)
+	}
+
 	return analyzers
 }

@@ -246,8 +249,15 @@ func scan(ctx context.Context, opt Option, initializeScanner InitializeScanner,
 			InsecureSkipTLS:   opt.Insecure,
 			Offline:           opt.OfflineScan,
 			NoProgress:        opt.NoProgress || opt.Quiet,
+
+			// For misconfiguration scanning
+			MisconfScannerOption: configScannerOptions,
+
+			// For secret scanning
+			SecretScannerOption: secret.ScannerOption{
+				ConfigPath: opt.SecretConfigPath,
+			},
 		},
-		MisconfOption: configScannerOptions,
 	})
 	if err != nil {
 		return types.Report{}, xerrors.Errorf("unable to initialize a scanner: %w", err)
@@ -269,7 +279,7 @@ func filter(ctx context.Context, opt Option, report types.Report) (types.Report,
 		if opt.RemoteAddr == "" {
 			resultClient.FillVulnerabilityInfo(results[i].Vulnerabilities, results[i].Type)
 		}
-		vulns, misconfSummary, misconfs, err := resultClient.Filter(ctx, results[i].Vulnerabilities, results[i].Misconfigurations,
+		vulns, misconfSummary, misconfs, secrets, err := resultClient.Filter(ctx, results[i].Vulnerabilities, results[i].Misconfigurations, results[i].Secrets,
 			opt.Severities, opt.IgnoreUnfixed, opt.IncludeNonFailures, opt.IgnoreFile, opt.IgnorePolicy)
 		if err != nil {
 			return types.Report{}, xerrors.Errorf("unable to filter vulnerabilities: %w", err)
@@ -277,6 +287,7 @@ func filter(ctx context.Context, opt Option, report types.Report) (types.Report,
 		results[i].Vulnerabilities = vulns
 		results[i].Misconfigurations = misconfs
 		results[i].MisconfSummary = misconfSummary
+		results[i].Secrets = secrets
 	}
 	return report, nil
 }