Ability to ignore AsymmetricPrivateKey using a Trivyignore file

[nilushancosta]

Description

A Docker image I recently scanned had the following detection in a Python file in site-packages

HIGH: AsymmetricPrivateKey (private-key)

This was a false positive because it wasn't an actual private key. To ignore it, I provided the file path to the --skip-files flag.
Is it possible to provide the ability to use the Trivyignore file to ignore such detections?

Suggested trivyignore entry

<type>-<filepath>:[lineNumber]

AsymmetricPrivateKey-/path/to/file:123   # To ignore the detection of AsymmetricPrivateKey in a specific line
AsymmetricPrivateKey-/path/to/file       # To ignore the detection of AsymmetricPrivateKeys in an entire file

• With a Trivyignore file, everything we have ignored is in a single location. When we use a CLI flag, we need to check another location (the CLI command) to see what has been ignored.
• Ignoring a specific line number is safer because a new secret may be introduced in a new line which may be missed if we ignore the entire file. Hence the above suggestion to specify a line number.

Target

Filesystem

Scanner

Secret

[knqyf263]

You can configure allow-rules.
https://aquasecurity.github.io/trivy/v0.42/docs/scanner/secret/#configuration

[nilushancosta]

I tried it but couldn't get it to work.

I used the following command to run the scan

docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v $HOME/Library/Caches:/root/.cache/ \
-v "${PWD}/.trivyignore":/.trivyignore:ro \
-v "${PWD}/trivy-secret.yaml":/trivy-secret.yaml:ro \
aquasec/trivy:latest image \
--exit-code 1 \
--severity MEDIUM,HIGH,CRITICAL\
 --ignorefile /.trivyignore  gcr.io/datadoghq/agent:7.43.1

It detected the following

/opt/datadog-agent/embedded/lib/python3.8/site-packages/snowflake/connector/secret_detector.py (secrets)
========================================================================================================
Total: 1 (MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: AsymmetricPrivateKey (private-key)
════════════════════════════════════════
Asymmetric Private Key
────────────────────────────────────────
 /opt/datadog-agent/embedded/lib/python3.8/site-packages/snowflake/connector/secret_detector.py:78 (added in layer 'dc53f03f2aae')
────────────────────────────────────────
  76       def mask_private_key(text: str) -> str:
  77           return SecretDetector.PRIVATE_KEY_PATTERN.sub(
  78 [             "-----BEGIN PRIVATE KEY-----**************-----END PRIVATE KEY-----", text
  79           )
────────────────────────────────────────

Although I had the following in my trivy-secret file, above one did not get allowed

allow-rules:
  - id: skip-secret-detector
    description: skip secret_detector py file
    path: /opt/datadog-agent/embedded/lib/python3.8/site-packages/snowflake/connector/secret_detector.py

Output of the --version command is as follows

sec/trivy:latest --version
Version: 0.42.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-06-13 06:07:07.790757019 +0000 UTC
  NextUpdate: 2023-06-13 12:07:07.790756619 +0000 UTC
  DownloadedAt: 2023-06-13 06:26:16.701236 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-06-12 00:58:09.155334694 +0000 UTC
  NextUpdate: 2023-06-15 00:58:09.155334094 +0000 UTC
  DownloadedAt: 2023-06-12 05:17:18.798051 +0000 UTC

[knqyf263]

@afdesk Can you please take a look?

[afdesk]

yes, sure. I'll take a look.

[afdesk]

@nilushancosta
your config works correctly. it seems Trivy can't find trivy-secret.yaml inside the docker container.
I assume you should add --secret-config flag to the run. something like it:

docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v $HOME/Library/Caches:/root/.cache/ \
-v "${PWD}/.trivyignore":/.trivyignore:ro \
-v "${PWD}/trivy-secret.yaml":/trivy-secret.yaml:ro \
aquasec/trivy:latest image \
--exit-code 1 \
--severity MEDIUM,HIGH,CRITICAL \
--secret-config /trivy-secret.yaml \
--ignorefile /.trivyignore  gcr.io/datadoghq/agent:7.43.1

[nilushancosta]

Thanks for checking this @afdesk . I will try with that flag