Some secret detection regexes expect the value to be surrounded by quotes

[nikpivkin]

Discussed in #6785

^{Originally posted by asankov May 27, 2024}

Description

I am playing around with the secret detection features and I see that some matchers like grafana-api-token, hashicorp-tf-api-token and others expect that the value of the token is surrounded by quotes ['\"].

This means that If I have a file like this:

grafana:
    token: eyJrIjoiNjQyOT...

or

GRAFANA_TOKEN=eyJrIjoiNjQyOT...

the value would not be detected by the scanner.

What is the reason to expect them to be like that?

Desired Behavior

The token is matched regardless of whether the value is surrounded by quotes or not.

Actual Behavior

Token is not matched unless value is in quotes.

Reproduction Steps

1. Create a YAML or .env file similar to the one I provided in the description of the issue.
2. Run it via the secret detector
3. Observe that no findings are reported

Target

Filesystem

Scanner

Secret

Output Format

None

Mode

None

Debug Output

$ trivy fs secrets --debug
2024-05-27T13:40:23+03:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-05-27T13:40:23+03:00	DEBUG	Ignore statuses	statuses=[]
2024-05-27T13:40:23+03:00	DEBUG	Cache dir	dir="/Users/asankov/Library/Caches/trivy"
2024-05-27T13:40:23+03:00	DEBUG	DB update was skipped because the local DB is the latest
2024-05-27T13:40:23+03:00	DEBUG	DB info	schema=2 updated_at=2024-05-27T06:12:09.854561954Z next_update=2024-05-27T12:12:09.854561794Z downloaded_at=2024-05-27T10:39:59.156462Z
2024-05-27T13:40:23+03:00	INFO	Vulnerability scanning is enabled
2024-05-27T13:40:23+03:00	DEBUG	Vulnerability type	type=[os library]
2024-05-27T13:40:23+03:00	INFO	Secret scanning is enabled
2024-05-27T13:40:23+03:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-27T13:40:23+03:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-27T13:40:23+03:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-05-27T13:40:23+03:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-05-27T13:40:23+03:00	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2024-05-27T13:40:23+03:00	DEBUG	OS is not detected.
2024-05-27T13:40:23+03:00	DEBUG	Detected OS: unknown
2024-05-27T13:40:23+03:00	INFO	Number of language-specific files	num=0

Operating System

macOS

Version

Version: 0.51.4
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-05-27 06:12:09.854561954 +0000 UTC
  NextUpdate: 2024-05-27 12:12:09.854561794 +0000 UTC
  DownloadedAt: 2024-05-27 10:39:59.156462 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[asankov]

Do you want me to contribute a fix?

It will be trivial to make the quotes optional.

[nikpivkin]

@asankov Thanks for your interest! Trivy is open for contributions https://github.com/aquasecurity/trivy/blob/main/CONTRIBUTING.md

[sgaist]

Hi,

I would like to tackle this for Hacktoberfest.