JWT secret detector only works if "JWT" word is in scope

[asankov]

Description

The secret detector would not detect a JWT unless there is the word "JWT" somewhere on the line.

For example, this file:

token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

would yield no findings, but this one:

jwt: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

will.

This is due to the jwt being set in the Keywords in the jwt matcher - https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go#L591

Desired Behavior

JWT token is detected regardless of other context.

Actual Behavior

JWT token is detected only if jwt is present on the line

Reproduction Steps

1. Create a file similar to the one in the description
2. Run `trivy fs <file>`
3. Observe no findings

Target

Filesystem

Scanner

Secret

Output Format

None

Mode

None

Debug Output

2024-05-27T14:39:46+03:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-05-27T14:39:46+03:00	DEBUG	Ignore statuses	statuses=[]
2024-05-27T14:39:46+03:00	DEBUG	Cache dir	dir="/Users/asankov/Library/Caches/trivy"
2024-05-27T14:39:46+03:00	DEBUG	DB update was skipped because the local DB is the latest
2024-05-27T14:39:46+03:00	DEBUG	DB info	schema=2 updated_at=2024-05-27T06:12:09.854561954Z next_update=2024-05-27T12:12:09.854561794Z downloaded_at=2024-05-27T10:39:59.156462Z
2024-05-27T14:39:46+03:00	INFO	Vulnerability scanning is enabled
2024-05-27T14:39:46+03:00	DEBUG	Vulnerability type	type=[os library]
2024-05-27T14:39:46+03:00	INFO	Secret scanning is enabled
2024-05-27T14:39:46+03:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-27T14:39:46+03:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-27T14:39:46+03:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-05-27T14:39:46+03:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-05-27T14:39:46+03:00	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2024-05-27T14:39:46+03:00	DEBUG	OS is not detected.
2024-05-27T14:39:46+03:00	DEBUG	Detected OS: unknown
2024-05-27T14:39:46+03:00	INFO	Number of language-specific files	num=0

Operating System

macOS

Version

Version: 0.51.4
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-05-27 06:12:09.854561954 +0000 UTC
  NextUpdate: 2024-05-27 12:12:09.854561794 +0000 UTC
  DownloadedAt: 2024-05-27 10:39:59.156462 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @asankov
Thanks for your report!

Created #6802

Regards, Dmitriy