Exposed secrets are not reported when using the html template

[fepeti]

Description

Scanning one of our images with parameters --format template --template "@contrib/html.tpl", --severity HIGH,CRITICAL, and --exit-code 1 causes Trivy to exit with exit code 1, but the generated report is shows that there were 0 vulnerabilities. After removing the format parameters, the report inlcudes
Total: 1 (HIGH: 1, CRITICAL: 0) HIGH: AsymmetricPrivateKey (private-key)

What did you expect to happen?

An html report, that contains the exposed secret vulnerability.

What happened instead?

The report contained no vulnerabilities.

Output of run with -debug:

2023-02-15T11:18:13.782Z        DEBUG   Severities: ["HIGH" "CRITICAL"]
2023-02-15T11:18:13.785Z        DEBUG   cache dir:  /root/.cache/trivy
2023-02-15T11:18:13.785Z        DEBUG   DB update was skipped because the local DB is the latest
2023-02-15T11:18:13.785Z        DEBUG   DB Schema: 2, UpdatedAt: 2023-02-15 06:07:33.487254615 +0000 UTC, NextUpdate: 2023-02-15 12:07:33.487254215 +0000 UTC, DownloadedAt: 2023-02-15 11:17:47.783875378 +0000 UTC
2023-02-15T11:18:13.785Z        INFO    Vulnerability scanning is enabled
2023-02-15T11:18:13.785Z        DEBUG   Vulnerability type:  [os library]
2023-02-15T11:18:13.785Z        INFO    Secret scanning is enabled
2023-02-15T11:18:13.785Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-02-15T11:18:13.786Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.37/docs/secret/scanning/#recommendation for faster secret detection
2023-02-15T11:18:13.790Z        DEBUG   No secret config detected: trivy-secret.yaml
2023-02-15T11:18:13.790Z        DEBUG   Saving the container image to a local file to obtain the image config...
2023-02-15T11:18:16.741Z        DEBUG   Image ID: ...
2023-02-15T11:18:16.741Z        DEBUG   Diff IDs: [...]
2023-02-15T11:18:16.752Z        INFO    Detected OS: redhat
2023-02-15T11:18:16.752Z        INFO    Detecting RHEL/CentOS vulnerabilities...
2023-02-15T11:18:16.752Z        DEBUG   Red Hat: os version: 8
2023-02-15T11:18:16.752Z        DEBUG   Red Hat: the number of packages: 125
2023-02-15T11:18:16.781Z        INFO    Number of language-specific files: 0
2023-02-15T11:18:16.781Z        DEBUG   Secret file: /usr/local/primus/bin/sft.rsa.private.key.pem
2023-02-15T11:18:16.864Z        DEBUG   Found an ignore file .trivyignore
2023-02-15T11:18:16.864Z        DEBUG   These IDs will be ignored: ["CVE-2019-1010022" "CVE-2022-47629"]
2023-02-15T11:18:16.864Z        DEBUG   Found an ignore file .trivyignore
2023-02-15T11:18:16.864Z        DEBUG   These IDs will be ignored: ["CVE-2019-1010022" "CVE-2022-47629"]
make: *** [../../makefile-include.mk:133: trivy-scan] Error 1

Output of trivy -v:

Version: 0.37.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-02-15 06:07:33.487254615 +0000 UTC
  NextUpdate: 2023-02-15 12:07:33.487254215 +0000 UTC
  DownloadedAt: 2023-02-15 08:28:53.640678126 +0000 UTC

Additional details (base image name, container registry info...):

[itaysk]

Thanks for opening an issue. I removed the bug label since it's by design that output template doesn't contain all possible information. It's a legitimate feature request thought, if someone wants to implement it.

[admodev]

I think that if you want to report secrets in html template, you will have to implement it, if you are working on that feature now, it would be interesting to have a look...

[github-actions]

This issue is stale because it has been labeled with inactivity.

[tomp21]

@knqyf263 is this still wanted? i see the PR implementing it was abandoned, i could give a hand

[itaysk]

@tomp21 thanks for your interest in contributing however we decided to no maintain the html template (or any other template) in Trivy codebase, and instead recommend the community create trivy plugins for various output formats. One popular plugin is https://github.com/fatihtokus/scan2html