mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-22 15:16:33 -08:00
feat(secret): show recommendation for slow scanning (#2051)
Co-authored-by: afdesk <work@afdesk.com>
This commit is contained in:
Teppei Fukuda
@@ -89,11 +89,6 @@ Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
|
|||||||
## Configuration
|
## Configuration
|
||||||
Trivy has a set of builtin rules for secret scanning, which can be extended or modified by a configuration file.
|
Trivy has a set of builtin rules for secret scanning, which can be extended or modified by a configuration file.
|
||||||
|
|
||||||
If you don't need secret scanning, you can disable it via the `--security-checks` flag.
|
|
||||||
|
|
||||||
```shell
|
|
||||||
$ trivy image --security-checks vuln alpine:3.15
|
|
||||||
```
|
|
||||||
|
|
||||||
## Recommendation
|
## Recommendation
|
||||||
We would recommend specifying `--skip-dirs` for faster secret scanning.
|
We would recommend specifying `--skip-dirs` for faster secret scanning.
|
||||||
@@ -111,6 +106,13 @@ All rules are disabled except for the ones you specify, so it runs very fast.
|
|||||||
On the other hand, you should use `disable-rules` if you just want to disable some built-in rules.
|
On the other hand, you should use `disable-rules` if you just want to disable some built-in rules.
|
||||||
See the [enable-rules][enable-rules] and [disable-rules][disable-rules] sections for the detail.
|
See the [enable-rules][enable-rules] and [disable-rules][disable-rules] sections for the detail.
|
||||||
|
|
||||||
|
If you don't need secret scanning, you can disable it via the `--security-checks` flag.
|
||||||
|
|
||||||
|
```shell
|
||||||
|
$ trivy image --security-checks vuln alpine:3.15
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Credit
|
## Credit
|
||||||
This feature is inspired by [gitleaks][gitleaks].
|
This feature is inspired by [gitleaks][gitleaks].
|
||||||
|
|
||||||
|
|||||||
@@ -3,6 +3,7 @@ package artifact
|
|||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"errors"
|
"errors"
|
||||||
|
"fmt"
|
||||||
"os"
|
"os"
|
||||||
|
|
||||||
"github.com/hashicorp/go-multierror"
|
"github.com/hashicorp/go-multierror"
|
||||||
@@ -153,7 +154,7 @@ func (r *runner) ScanImage(ctx context.Context, opt Option) (types.Report, error
|
|||||||
s = imageRemoteScanner
|
s = imageRemoteScanner
|
||||||
}
|
}
|
||||||
|
|
||||||
return r.scan(ctx, opt, s)
|
return r.scanArtifact(ctx, opt, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (r *runner) ScanFilesystem(ctx context.Context, opt Option) (types.Report, error) {
|
func (r *runner) ScanFilesystem(ctx context.Context, opt Option) (types.Report, error) {
|
||||||
@@ -180,7 +181,7 @@ func (r *runner) scanFS(ctx context.Context, opt Option) (types.Report, error) {
|
|||||||
s = filesystemRemoteScanner
|
s = filesystemRemoteScanner
|
||||||
}
|
}
|
||||||
|
|
||||||
return r.scan(ctx, opt, s)
|
return r.scanArtifact(ctx, opt, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (r *runner) ScanRepository(ctx context.Context, opt Option) (types.Report, error) {
|
func (r *runner) ScanRepository(ctx context.Context, opt Option) (types.Report, error) {
|
||||||
@@ -190,10 +191,10 @@ func (r *runner) ScanRepository(ctx context.Context, opt Option) (types.Report,
|
|||||||
// Disable the OS analyzers and individual package analyzers
|
// Disable the OS analyzers and individual package analyzers
|
||||||
opt.DisabledAnalyzers = append(analyzer.TypeIndividualPkgs, analyzer.TypeOSes...)
|
opt.DisabledAnalyzers = append(analyzer.TypeIndividualPkgs, analyzer.TypeOSes...)
|
||||||
|
|
||||||
return r.scan(ctx, opt, repositoryStandaloneScanner)
|
return r.scanArtifact(ctx, opt, repositoryStandaloneScanner)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (r *runner) scan(ctx context.Context, opt Option, initializeScanner InitializeScanner) (types.Report, error) {
|
func (r *runner) scanArtifact(ctx context.Context, opt Option, initializeScanner InitializeScanner) (types.Report, error) {
|
||||||
report, err := scan(ctx, opt, initializeScanner, r.cache)
|
report, err := scan(ctx, opt, initializeScanner, r.cache)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return types.Report{}, xerrors.Errorf("scan error: %w", err)
|
return types.Report{}, xerrors.Errorf("scan error: %w", err)
|
||||||
@@ -417,14 +418,19 @@ func initScannerConfig(opt Option, cacheClient cache.Cache) (ScannerConfig, type
|
|||||||
scanOptions := types.ScanOptions{
|
scanOptions := types.ScanOptions{
|
||||||
VulnType: opt.VulnType,
|
VulnType: opt.VulnType,
|
||||||
SecurityChecks: opt.SecurityChecks,
|
SecurityChecks: opt.SecurityChecks,
|
||||||
ScanRemovedPackages: opt.ScanRemovedPkgs, // this is valid only for image subcommand
|
ScanRemovedPackages: opt.ScanRemovedPkgs, // this is valid only for 'image' subcommand
|
||||||
ListAllPackages: opt.ListAllPkgs,
|
ListAllPackages: opt.ListAllPkgs,
|
||||||
}
|
}
|
||||||
log.Logger.Debugf("Vulnerability type: %s", scanOptions.VulnType)
|
|
||||||
|
if slices.Contains(opt.SecurityChecks, types.SecurityCheckVulnerability) {
|
||||||
|
log.Logger.Info("Vulnerability scanning is enabled")
|
||||||
|
log.Logger.Debugf("Vulnerability type: %s", scanOptions.VulnType)
|
||||||
|
}
|
||||||
|
|
||||||
// ScannerOption is filled only when config scanning is enabled.
|
// ScannerOption is filled only when config scanning is enabled.
|
||||||
var configScannerOptions config.ScannerOption
|
var configScannerOptions config.ScannerOption
|
||||||
if slices.Contains(opt.SecurityChecks, types.SecurityCheckConfig) {
|
if slices.Contains(opt.SecurityChecks, types.SecurityCheckConfig) {
|
||||||
|
log.Logger.Info("Misconfiguration scanning is enabled")
|
||||||
configScannerOptions = config.ScannerOption{
|
configScannerOptions = config.ScannerOption{
|
||||||
Trace: opt.Trace,
|
Trace: opt.Trace,
|
||||||
Namespaces: append(opt.PolicyNamespaces, defaultPolicyNamespaces...),
|
Namespaces: append(opt.PolicyNamespaces, defaultPolicyNamespaces...),
|
||||||
@@ -434,6 +440,19 @@ func initScannerConfig(opt Option, cacheClient cache.Cache) (ScannerConfig, type
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Do not load config file for secret scanning
|
||||||
|
if slices.Contains(opt.SecurityChecks, types.SecurityCheckSecret) {
|
||||||
|
ver := fmt.Sprintf("v%s", opt.AppVersion)
|
||||||
|
if opt.AppVersion == "dev" {
|
||||||
|
ver = opt.AppVersion
|
||||||
|
}
|
||||||
|
log.Logger.Info("Secret scanning is enabled")
|
||||||
|
log.Logger.Info("If your scanning is slow, please try '--security-checks vuln' to disable secret scanning")
|
||||||
|
log.Logger.Infof("Please see also https://aquasecurity.github.io/trivy/%s/docs/secret/scanning/#recommendation for faster secret detection", ver)
|
||||||
|
} else {
|
||||||
|
opt.SecretConfigPath = ""
|
||||||
|
}
|
||||||
|
|
||||||
return ScannerConfig{
|
return ScannerConfig{
|
||||||
Target: target,
|
Target: target,
|
||||||
ArtifactCache: cacheClient,
|
ArtifactCache: cacheClient,
|
||||||
|
|||||||
Reference in New Issue
Block a user