Trufflehog not reporting secrets in docker metadata file

[venkatasandeeplade]

Please review the Community Note before submitting

TruffleHog Version

└─$ trufflehog --version
trufflehog 3.78.2

Trace Output

Sorry to say , we can't share as per organisation policy
Command used
trufflehog docker --image=xxxxx.dkr.ecr.us-west-2.amazonaws.com/xx/aiops-pii-mask:1234_abcd_1234

Expected Behavior

Trufflehog should report the secrets exposed in docker config.json/metadata file

Actual Behavior

We have some JFROG passwords in docker metadata / layer information. Trufflehog not reporting them

Environment

• OS:
• └─$ cat cat /etc/os-release
  PRETTY_NAME="Kali GNU/Linux Rolling"
  NAME="Kali GNU/Linux"
  VERSION_ID="2024.1"
  VERSION="2024.1"
  VERSION_CODENAME=kali-rolling
  ID=kali
  ID_LIKE=debian
  HOME_URL="https://www.kali.org/"
  SUPPORT_URL="https://forums.kali.org/"
  BUG_REPORT_URL="https://bugs.kali.org/"
  ANSI_COLOR="1;31"
• Version [e.g. 22]

[v3gard]

Related to #2940

[AlfredBerg]

I'm facing the same issue. The current implementation seems to only scan the created_by field of the config metadata and e.g. not the envs

trufflehog/pkg/sources/docker/docker.go

Line 278 in 3b0b290

Data: []byte(historyInfo.entry.CreatedBy),

Trufflehog seems to already be using https://github.com/google/go-containerregistry/, which has a tool called crane that can get this docker config data, so should not be impossible to scan the whole config instead. Might have a go at creating a pull request.

https://github.com/google/go-containerregistry/tree/main/cmd/crane

$ crane config nginx | jq
{
  "architecture": "amd64",
  "config": {
    "ExposedPorts": {
      "80/tcp": {}
    },
    "Env": [
      "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
      "NGINX_VERSION=1.27.1",
      "NJS_VERSION=0.8.5",
      "NJS_RELEASE=1~bookworm",
      "PKG_RELEASE=1~bookworm",
      "DYNPKG_RELEASE=2~bookworm"
    ],
    "Entrypoint": [
      "/docker-entrypoint.sh"
    ],
    "Cmd": [
...