feat(secret): add secret config file for cache calculation (#4837)

* move parse secret config to initScannerConfig + add secret to cache key

* add calc cache test

* just read config file and add to cache

* refactor comments

* refactor

pkg/fanal/cache/key.go

@@ -36,21 +36,24 @@ func CalcKey(id string, analyzerVersions analyzer.Versions, hookVersions map[str
 		return "", xerrors.Errorf("json encode error: %w", err)
 	}
 
-	// Write policy and data contents
-	for _, paths := range [][]string{artifactOpt.MisconfScannerOption.PolicyPaths, artifactOpt.MisconfScannerOption.DataPaths} {
-		for _, p := range paths {
-			hash, err := hashContents(p)
-			if err != nil {
-				return "", err
-			}
+	// Write policy, data contents and secret config file
+	paths := append(artifactOpt.MisconfScannerOption.PolicyPaths, artifactOpt.MisconfScannerOption.DataPaths...)
 
-			if _, err := h.Write([]byte(hash)); err != nil {
-				return "", xerrors.Errorf("sha256 write error: %w", err)
-			}
-		}
+	// Check if the secret config exists.
+	if _, err := os.Stat(artifactOpt.SecretScannerOption.ConfigPath); err == nil {
+		paths = append(paths, artifactOpt.SecretScannerOption.ConfigPath)
 	}
 
-	// TODO: add secret scanner option here
+	for _, p := range paths {
+		hash, err := hashContents(p)
+		if err != nil {
+			return "", err
+		}
+
+		if _, err := h.Write([]byte(hash)); err != nil {
+			return "", xerrors.Errorf("sha256 write error: %w", err)
+		}
+	}
 
 	return fmt.Sprintf("sha256:%x", h.Sum(nil)), nil
 }

pkg/fanal/cache/key_test.go

@@ -21,6 +21,7 @@ func TestCalcKey(t *testing.T) {
 		patterns         []string
 		policy           []string
 		data             []string
+		secretConfigPath string
 	}
 	tests := []struct {
 		name    string
@@ -175,6 +176,42 @@ func TestCalcKey(t *testing.T) {
 			},
 			want: "sha256:363f70f4ee795f250873caea11c2fc94ef12945444327e7e2f8a99e3884695e0",
 		},
+		{
+
+			name: "secret config",
+			args: args{
+				key: "sha256:5c534be56eca62e756ef2ef51523feda0f19cd7c15bb0c015e3d6e3ae090bf6e",
+				analyzerVersions: analyzer.Versions{
+					Analyzers: map[string]int{
+						"alpine": 1,
+						"debian": 1,
+					},
+				},
+				hookVersions: map[string]int{
+					"python-pkg": 1,
+				},
+				secretConfigPath: "testdata/trivy-secret.yaml",
+			},
+			want: "sha256:d3fb9503f2851ae9bdb250b7ef55c00c0bfa1250b19d4d398a9219c2c0e20958",
+		},
+		{
+
+			name: "secret config file doesn't exist",
+			args: args{
+				key: "sha256:5c534be56eca62e756ef2ef51523feda0f19cd7c15bb0c015e3d6e3ae090bf6e",
+				analyzerVersions: analyzer.Versions{
+					Analyzers: map[string]int{
+						"alpine": 1,
+						"debian": 1,
+					},
+				},
+				hookVersions: map[string]int{
+					"python-pkg": 1,
+				},
+				secretConfigPath: "trivy-secret.yaml",
+			},
+			want: "sha256:c720b502991465ea11929cfefc71cf4b5aeaa9a8c0ae59fdaf597f957f5cdb18",
+		},
 		{
 			name: "with policy/non-existent dir",
 			args: args{
@@ -201,6 +238,10 @@ func TestCalcKey(t *testing.T) {
 					PolicyPaths: tt.args.policy,
 					DataPaths:   tt.args.data,
 				},
+
+				SecretScannerOption: analyzer.SecretScannerOption{
+					ConfigPath: tt.args.secretConfigPath,
+				},
 			}
 			got, err := CalcKey(tt.args.key, tt.args.analyzerVersions, tt.args.hookVersions, artifactOpt)
 			if tt.wantErr != "" {

pkg/fanal/cache/testdata/trivy-secret.yaml

@@ -0,0 +1,4 @@
+disable-allow-rules:
+  - usr-dirs
+  - examples
+