From a02c06bafdf4d1b78c9c44b0a6566394752783d7 Mon Sep 17 00:00:00 2001
From: Teppei Fukuda <knqyf263@gmail.com>
Date: Wed, 15 Jun 2022 12:39:32 +0300
Subject: [PATCH] feat(secret): show recommendation for slow scanning (#2051)

Co-authored-by: afdesk <work@afdesk.com>
---
 docs/docs/secret/scanning.md | 12 +++++++-----
 pkg/commands/artifact/run.go | 31 +++++++++++++++++++++++++------
 2 files changed, 32 insertions(+), 11 deletions(-)

diff --git a/docs/docs/secret/scanning.md b/docs/docs/secret/scanning.md
index 4f543412b9..8dc5d544c0 100644
--- a/docs/docs/secret/scanning.md
+++ b/docs/docs/secret/scanning.md
@@ -89,11 +89,6 @@ Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 ## Configuration
 Trivy has a set of builtin rules for secret scanning, which can be extended or modified by a configuration file.
 
-If you don't need secret scanning, you can disable it via the `--security-checks` flag.
-
-```shell
-$ trivy image --security-checks vuln alpine:3.15
-```
 
 ## Recommendation
 We would recommend specifying `--skip-dirs` for faster secret scanning.
@@ -111,6 +106,13 @@ All rules are disabled except for the ones you specify, so it runs very fast.
 On the other hand, you should use `disable-rules` if you just want to disable some built-in rules.
 See the [enable-rules][enable-rules] and [disable-rules][disable-rules] sections for the detail.
 
+If you don't need secret scanning, you can disable it via the `--security-checks` flag.
+
+```shell
+$ trivy image --security-checks vuln alpine:3.15
+```
+
+
 ## Credit
 This feature is inspired by [gitleaks][gitleaks]. 
 
diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go
index d5350e2885..9ef2094b0c 100644
--- a/pkg/commands/artifact/run.go
+++ b/pkg/commands/artifact/run.go
@@ -3,6 +3,7 @@ package artifact
 import (
 	"context"
 	"errors"
+	"fmt"
 	"os"
 
 	"github.com/hashicorp/go-multierror"
@@ -153,7 +154,7 @@ func (r *runner) ScanImage(ctx context.Context, opt Option) (types.Report, error
 		s = imageRemoteScanner
 	}
 
-	return r.scan(ctx, opt, s)
+	return r.scanArtifact(ctx, opt, s)
 }
 
 func (r *runner) ScanFilesystem(ctx context.Context, opt Option) (types.Report, error) {
@@ -180,7 +181,7 @@ func (r *runner) scanFS(ctx context.Context, opt Option) (types.Report, error) {
 		s = filesystemRemoteScanner
 	}
 
-	return r.scan(ctx, opt, s)
+	return r.scanArtifact(ctx, opt, s)
 }
 
 func (r *runner) ScanRepository(ctx context.Context, opt Option) (types.Report, error) {
@@ -190,10 +191,10 @@ func (r *runner) ScanRepository(ctx context.Context, opt Option) (types.Report,
 	// Disable the OS analyzers and individual package analyzers
 	opt.DisabledAnalyzers = append(analyzer.TypeIndividualPkgs, analyzer.TypeOSes...)
 
-	return r.scan(ctx, opt, repositoryStandaloneScanner)
+	return r.scanArtifact(ctx, opt, repositoryStandaloneScanner)
 }
 
-func (r *runner) scan(ctx context.Context, opt Option, initializeScanner InitializeScanner) (types.Report, error) {
+func (r *runner) scanArtifact(ctx context.Context, opt Option, initializeScanner InitializeScanner) (types.Report, error) {
 	report, err := scan(ctx, opt, initializeScanner, r.cache)
 	if err != nil {
 		return types.Report{}, xerrors.Errorf("scan error: %w", err)
@@ -417,14 +418,19 @@ func initScannerConfig(opt Option, cacheClient cache.Cache) (ScannerConfig, type
 	scanOptions := types.ScanOptions{
 		VulnType:            opt.VulnType,
 		SecurityChecks:      opt.SecurityChecks,
-		ScanRemovedPackages: opt.ScanRemovedPkgs, // this is valid only for image subcommand
+		ScanRemovedPackages: opt.ScanRemovedPkgs, // this is valid only for 'image' subcommand
 		ListAllPackages:     opt.ListAllPkgs,
 	}
-	log.Logger.Debugf("Vulnerability type:  %s", scanOptions.VulnType)
+
+	if slices.Contains(opt.SecurityChecks, types.SecurityCheckVulnerability) {
+		log.Logger.Info("Vulnerability scanning is enabled")
+		log.Logger.Debugf("Vulnerability type:  %s", scanOptions.VulnType)
+	}
 
 	// ScannerOption is filled only when config scanning is enabled.
 	var configScannerOptions config.ScannerOption
 	if slices.Contains(opt.SecurityChecks, types.SecurityCheckConfig) {
+		log.Logger.Info("Misconfiguration scanning is enabled")
 		configScannerOptions = config.ScannerOption{
 			Trace:        opt.Trace,
 			Namespaces:   append(opt.PolicyNamespaces, defaultPolicyNamespaces...),
@@ -434,6 +440,19 @@ func initScannerConfig(opt Option, cacheClient cache.Cache) (ScannerConfig, type
 		}
 	}
 
+	// Do not load config file for secret scanning
+	if slices.Contains(opt.SecurityChecks, types.SecurityCheckSecret) {
+		ver := fmt.Sprintf("v%s", opt.AppVersion)
+		if opt.AppVersion == "dev" {
+			ver = opt.AppVersion
+		}
+		log.Logger.Info("Secret scanning is enabled")
+		log.Logger.Info("If your scanning is slow, please try '--security-checks vuln' to disable secret scanning")
+		log.Logger.Infof("Please see also https://aquasecurity.github.io/trivy/%s/docs/secret/scanning/#recommendation for faster secret detection", ver)
+	} else {
+		opt.SecretConfigPath = ""
+	}
+
 	return ScannerConfig{
 		Target:             target,
 		ArtifactCache:      cacheClient,