feat: enhance secret scanning for specific binary files

[knqyf263]

Description

Currently, Trivy skips binary files during secret scanning. However, recent incidents have shown that certain binary files, such as .pyc files, may contain valuable information for secret detection. We propose enhancing Trivy's secret scanning capabilities to include specific binary file types.

Proposed Solution

1. Implement a strings-like functionality for extracting printable characters from binary files.
2. Apply secret scanning to the extracted strings.
3. Initially, limit this functionality to a predefined list of file extensions (e.g., .pyc) to avoid significant performance degradation.

Implementation Details

• Create a list of binary file extensions to be scanned (starting with .pyc).
• Implement a strings-like function to extract printable characters from these files.
• Integrate this functionality into the existing secret scanning workflow.
• Ensure that the performance impact is minimized by only applying this to specified file types.

Here's a sample implementation of the strings-like functionality in Go:

package main

import (
    "bufio"
    "fmt"
    "io"
    "os"
    "unicode"
)

func main() {
    if len(os.Args) < 2 {
        fmt.Println("Please specify a filename")
        return
    }

    filename := os.Args
    file, err := os.Open(filename)
    if err != nil {
        fmt.Printf("Error opening file: %v\n", err)
        return
    }
    defer file.Close()

    err = extractStrings(file)
    if err != nil {
        fmt.Printf("Error extracting strings: %v\n", err)
    }
}

func extractStrings(r io.Reader) error {
    minLength := 4 // Minimum length of strings to extract
    var current []rune
    reader := bufio.NewReader(r)

    for {
        b, err := reader.ReadByte()
        if err == io.EOF {
            break
        } else if err != nil {
            return err
        }

        r := rune(b)
        if unicode.IsPrint(r) {
            current = append(current, r)
        } else {
            if len(current) >= minLength {
                fmt.Println(string(current))
            }
            current = nil
        }
    }

    // Process the last string
    if len(current) >= minLength {
        fmt.Println(string(current))
    }

    return nil
}

This implementation reads the file byte by byte, extracts printable characters, and outputs strings that meet a minimum length requirement. It can be adapted and integrated into Trivy's scanning process.

Future Considerations

• Evaluate the possibility of extending this functionality to all binary files.
• Monitor performance impacts and adjust the implementation as necessary.

Benefits

• Improved security coverage by including previously skipped binary files.
• Potential to detect secrets in compiled Python files and other similar binary formats.
• Maintains Trivy's performance by limiting the scope to specific file types.

Discussion

#7170