You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It seems to happen when a string ends with a substring that might match an AWS key regex.
Desired Behavior
Trivy shouldn't detect an AWS key in the genetic sequences, since they are much longer, and statistically might end with a substring that matches an AWS key.
Actual Behavior
Many false positive sensitive data findings.
Reproduction Steps
1. Scan a repository with a random genetic sequence
2. AWS keys are detected if there is a sequence that ends with 4 letters (A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA), followed by random 16 letters and digits
Target
None
Scanner
Secret
Output Format
None
Mode
None
Debug Output
▶ trivy fs --debug --scanners secret .
2023-05-29T10:34:54.162+0300 DEBUG Severities: ["UNKNOWN""LOW""MEDIUM""HIGH""CRITICAL"]
2023-05-29T10:34:54.174+0300 DEBUG cache dir: /home/ori/.cache/trivy
2023-05-29T10:34:54.174+0300 INFO Secret scanning is enabled
2023-05-29T10:34:54.174+0300 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-05-29T10:34:54.174+0300 INFO Please see also https://aquasecurity.github.io/trivy/v0.37/docs/secret/scanning/#recommendation for faster secret detection
2023-05-29T10:34:54.174+0300 DEBUG No secret config detected: trivy-secret.yaml
2023-05-29T10:34:54.174+0300 DEBUG Walk the file tree rooted at '.'in parallel
2023-05-29T10:34:54.178+0300 DEBUG OS is not detected.
2023-05-29T10:34:54.178+0300 DEBUG Secret file: detect-secret
detect-secret (secrets)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)
CRITICAL: AWS (aws-access-key-id)
════════════════════════════════════════════════════════════════════════════════
AWS Access Key ID
────────────────────────────────────────────────────────────────────────────────
detect-secret:1
────────────────────────────────────────────────────────────────────────────────
1 [ MAKEDRIEMQGEVLENLPNATFRVKLENGHVVLGYISGKMRMHYIRILPGDK********************
2
────────────────────────────────────────────────────────────────────────────────
Operating System
Linux
Version
Version: 0.41.1
Vulnerability DB:
Version: 2
UpdatedAt: 2023-05-23 06:07:39.171752731 +0000 UTC
NextUpdate: 2023-05-23 12:07:39.171752331 +0000 UTC
DownloadedAt: 2023-05-23 12:03:55.05720017 +0000 UTC
kind/bugCategorizes issue or PR as related to a bug.help wantedDenotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.good first issueDenotes an issue ready for a new contributor, according to the "help wanted" guidelines.
1 participant
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Description
Scanning repositories that contain genetic sequences (example:
MSKDDRIEMQGEVLENLPNATFRVKLENTHVVLGYISSKMRMHYIRILPGDKAKIAMTPYDLSRARIIFRAK) detects AWS keys.It seems to happen when a string ends with a substring that might match an AWS key regex.
Desired Behavior
Trivy shouldn't detect an AWS key in the genetic sequences, since they are much longer, and statistically might end with a substring that matches an AWS key.
Actual Behavior
Many false positive sensitive data findings.
Reproduction Steps
Target
None
Scanner
Secret
Output Format
None
Mode
None
Debug Output
Operating System
Linux
Version
Checklist
trivy --resetBeta Was this translation helpful? Give feedback.
All reactions