mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-21 23:00:42 -08:00
feat(secret): show recommendation for slow scanning (#2051)
Co-authored-by: afdesk <work@afdesk.com>
This commit is contained in:
Teppei Fukuda
@@ -89,11 +89,6 @@ Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
|
||||
## Configuration
|
||||
Trivy has a set of builtin rules for secret scanning, which can be extended or modified by a configuration file.
|
||||
|
||||
If you don't need secret scanning, you can disable it via the `--security-checks` flag.
|
||||
|
||||
```shell
|
||||
$ trivy image --security-checks vuln alpine:3.15
|
||||
```
|
||||
|
||||
## Recommendation
|
||||
We would recommend specifying `--skip-dirs` for faster secret scanning.
|
||||
@@ -111,6 +106,13 @@ All rules are disabled except for the ones you specify, so it runs very fast.
|
||||
On the other hand, you should use `disable-rules` if you just want to disable some built-in rules.
|
||||
See the [enable-rules][enable-rules] and [disable-rules][disable-rules] sections for the detail.
|
||||
|
||||
If you don't need secret scanning, you can disable it via the `--security-checks` flag.
|
||||
|
||||
```shell
|
||||
$ trivy image --security-checks vuln alpine:3.15
|
||||
```
|
||||
|
||||
|
||||
## Credit
|
||||
This feature is inspired by [gitleaks][gitleaks].
|
||||
|
||||
|
||||
@@ -3,6 +3,7 @@ package artifact
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"os"
|
||||
|
||||
"github.com/hashicorp/go-multierror"
|
||||
@@ -153,7 +154,7 @@ func (r *runner) ScanImage(ctx context.Context, opt Option) (types.Report, error
|
||||
s = imageRemoteScanner
|
||||
}
|
||||
|
||||
return r.scan(ctx, opt, s)
|
||||
return r.scanArtifact(ctx, opt, s)
|
||||
}
|
||||
|
||||
func (r *runner) ScanFilesystem(ctx context.Context, opt Option) (types.Report, error) {
|
||||
@@ -180,7 +181,7 @@ func (r *runner) scanFS(ctx context.Context, opt Option) (types.Report, error) {
|
||||
s = filesystemRemoteScanner
|
||||
}
|
||||
|
||||
return r.scan(ctx, opt, s)
|
||||
return r.scanArtifact(ctx, opt, s)
|
||||
}
|
||||
|
||||
func (r *runner) ScanRepository(ctx context.Context, opt Option) (types.Report, error) {
|
||||
@@ -190,10 +191,10 @@ func (r *runner) ScanRepository(ctx context.Context, opt Option) (types.Report,
|
||||
// Disable the OS analyzers and individual package analyzers
|
||||
opt.DisabledAnalyzers = append(analyzer.TypeIndividualPkgs, analyzer.TypeOSes...)
|
||||
|
||||
return r.scan(ctx, opt, repositoryStandaloneScanner)
|
||||
return r.scanArtifact(ctx, opt, repositoryStandaloneScanner)
|
||||
}
|
||||
|
||||
func (r *runner) scan(ctx context.Context, opt Option, initializeScanner InitializeScanner) (types.Report, error) {
|
||||
func (r *runner) scanArtifact(ctx context.Context, opt Option, initializeScanner InitializeScanner) (types.Report, error) {
|
||||
report, err := scan(ctx, opt, initializeScanner, r.cache)
|
||||
if err != nil {
|
||||
return types.Report{}, xerrors.Errorf("scan error: %w", err)
|
||||
@@ -417,14 +418,19 @@ func initScannerConfig(opt Option, cacheClient cache.Cache) (ScannerConfig, type
|
||||
scanOptions := types.ScanOptions{
|
||||
VulnType: opt.VulnType,
|
||||
SecurityChecks: opt.SecurityChecks,
|
||||
ScanRemovedPackages: opt.ScanRemovedPkgs, // this is valid only for image subcommand
|
||||
ScanRemovedPackages: opt.ScanRemovedPkgs, // this is valid only for 'image' subcommand
|
||||
ListAllPackages: opt.ListAllPkgs,
|
||||
}
|
||||
|
||||
if slices.Contains(opt.SecurityChecks, types.SecurityCheckVulnerability) {
|
||||
log.Logger.Info("Vulnerability scanning is enabled")
|
||||
log.Logger.Debugf("Vulnerability type: %s", scanOptions.VulnType)
|
||||
}
|
||||
|
||||
// ScannerOption is filled only when config scanning is enabled.
|
||||
var configScannerOptions config.ScannerOption
|
||||
if slices.Contains(opt.SecurityChecks, types.SecurityCheckConfig) {
|
||||
log.Logger.Info("Misconfiguration scanning is enabled")
|
||||
configScannerOptions = config.ScannerOption{
|
||||
Trace: opt.Trace,
|
||||
Namespaces: append(opt.PolicyNamespaces, defaultPolicyNamespaces...),
|
||||
@@ -434,6 +440,19 @@ func initScannerConfig(opt Option, cacheClient cache.Cache) (ScannerConfig, type
|
||||
}
|
||||
}
|
||||
|
||||
// Do not load config file for secret scanning
|
||||
if slices.Contains(opt.SecurityChecks, types.SecurityCheckSecret) {
|
||||
ver := fmt.Sprintf("v%s", opt.AppVersion)
|
||||
if opt.AppVersion == "dev" {
|
||||
ver = opt.AppVersion
|
||||
}
|
||||
log.Logger.Info("Secret scanning is enabled")
|
||||
log.Logger.Info("If your scanning is slow, please try '--security-checks vuln' to disable secret scanning")
|
||||
log.Logger.Infof("Please see also https://aquasecurity.github.io/trivy/%s/docs/secret/scanning/#recommendation for faster secret detection", ver)
|
||||
} else {
|
||||
opt.SecretConfigPath = ""
|
||||
}
|
||||
|
||||
return ScannerConfig{
|
||||
Target: target,
|
||||
ArtifactCache: cacheClient,
|
||||
|
||||
Reference in New Issue
Block a user