Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add trivy secret scanning #440

Merged
merged 2 commits into from
Aug 17, 2023
Merged

feat: add trivy secret scanning #440

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7ac79b3
done
puzzler7 Aug 17, 2023
75a4bbc
comment
puzzler7 Aug 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
158 changes: 158 additions & 0 deletions linters/trivy/config_expected_issues.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,158 @@
[
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please also delete the expected_issues.json file

{
"line": "1",
"code": "AVD-AWS-0028",
"level": "LEVEL_HIGH",
"linter": "trivy",
"targetType": "terraform",
"isSecurity": true,
"message": "Instance does not require IMDS access to require a token",
"file": "test_data/aws.tf"
},
{
"line": "1",
"code": "AVD-AWS-0131",
"level": "LEVEL_HIGH",
"linter": "trivy",
"targetType": "terraform",
"isSecurity": true,
"message": "Root block device is not encrypted.",
"file": "test_data/aws.tf"
},
{
"code": "DS026",
"level": "LEVEL_HIGH",
"linter": "trivy",
"targetType": "docker",
"isSecurity": true,
"message": "Add HEALTHCHECK instruction in your Dockerfile",
"file": "test_data/basic.Dockerfile"
},
{
"code": "DS002",
"level": "LEVEL_HIGH",
"linter": "trivy",
"targetType": "docker",
"isSecurity": true,
"message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
"file": "test_data/basic.Dockerfile"
},
{
"code": "KSV116",
"level": "LEVEL_HIGH",
"linter": "trivy",
"targetType": "yaml",
"isSecurity": true,
"message": "pod security-context-demo in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0",
"file": "test_data/basic.yaml"
},
{
"code": "KSV104",
"level": "LEVEL_HIGH",
"linter": "trivy",
"targetType": "yaml",
"isSecurity": true,
"message": "container sec-ctx-demo of pod security-context-demo in default namespace should specify a seccomp profile",
"file": "test_data/basic.yaml"
},
{
"line": "14",
"code": "KSV106",
"level": "LEVEL_HIGH",
"linter": "trivy",
"targetType": "yaml",
"isSecurity": true,
"message": "container should drop all",
"file": "test_data/basic.yaml"
},
{
"line": "14",
"code": "KSV020",
"level": "LEVEL_HIGH",
"linter": "trivy",
"targetType": "yaml",
"isSecurity": true,
"message": "Container 'sec-ctx-demo' of Pod 'security-context-demo' should set 'securityContext.runAsUser' > 10000",
"file": "test_data/basic.yaml"
},
{
"line": "14",
"code": "KSV003",
"level": "LEVEL_HIGH",
"linter": "trivy",
"targetType": "yaml",
"isSecurity": true,
"message": "Container 'sec-ctx-demo' of Pod 'security-context-demo' should add 'ALL' to 'securityContext.capabilities.drop'",
"file": "test_data/basic.yaml"
},
{
"line": "14",
"code": "KSV013",
"level": "LEVEL_HIGH",
"linter": "trivy",
"targetType": "yaml",
"isSecurity": true,
"message": "Container 'sec-ctx-demo' of Pod 'security-context-demo' should specify an image tag",
"file": "test_data/basic.yaml"
},
{
"line": "14",
"code": "KSV021",
"level": "LEVEL_HIGH",
"linter": "trivy",
"targetType": "yaml",
"isSecurity": true,
"message": "Container 'sec-ctx-demo' of Pod 'security-context-demo' should set 'securityContext.runAsGroup' > 10000",
"file": "test_data/basic.yaml"
},
{
"line": "14",
"code": "KSV014",
"level": "LEVEL_HIGH",
"linter": "trivy",
"targetType": "yaml",
"isSecurity": true,
"message": "Container 'sec-ctx-demo' of Pod 'security-context-demo' should set 'securityContext.readOnlyRootFilesystem' to true",
"file": "test_data/basic.yaml"
},
{
"line": "14",
"code": "KSV030",
"level": "LEVEL_HIGH",
"linter": "trivy",
"targetType": "yaml",
"isSecurity": true,
"message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'",
"file": "test_data/basic.yaml"
},
{
"line": "14",
"code": "KSV011",
"level": "LEVEL_HIGH",
"linter": "trivy",
"targetType": "yaml",
"isSecurity": true,
"message": "Container 'sec-ctx-demo' of Pod 'security-context-demo' should set 'resources.limits.cpu'",
"file": "test_data/basic.yaml"
},
{
"line": "14",
"code": "KSV012",
"level": "LEVEL_HIGH",
"linter": "trivy",
"targetType": "yaml",
"isSecurity": true,
"message": "Container 'sec-ctx-demo' of Pod 'security-context-demo' should set 'securityContext.runAsNonRoot' to true",
"file": "test_data/basic.yaml"
},
{
"line": "14",
"code": "KSV018",
"level": "LEVEL_HIGH",
"linter": "trivy",
"targetType": "yaml",
"isSecurity": true,
"message": "Container 'sec-ctx-demo' of Pod 'security-context-demo' should set 'resources.limits.memory'",
"file": "test_data/basic.yaml"
}
]
27 changes: 23 additions & 4 deletions linters/trivy/plugin.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,23 +26,41 @@ tools:
lint:
definitions:
- name: trivy
files: [lockfile, docker, yaml, terraform]
tools: [trivy]
suggest_if: files_present
known_good_version: 0.37.1
commands:
- name: fs
- name: fs-vuln
files: [lockfile]
output: sarif
run: trivy fs ${target} --format json --no-progress --cache-dir ${shared_cachedir}
run:
trivy fs ${target} --scanners vuln --format json --no-progress --cache-dir
${shared_cachedir}
success_codes: [0]
read_output_from: stdout
# Trivy does not support batching
batch: false
is_security: true
parser:
runtime: python
run: python3 ${plugin}/linters/trivy/trivy_fs_to_sarif.py
run: python3 ${plugin}/linters/trivy/trivy_fs_vuln_to_sarif.py
- name: fs-secret
files: [ALL]
Comment on lines +47 to +48
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Before we end up turning this on for everyone, couple verification questions:

  1. How does performance compare to something like trufflehog?
  2. How does secret scanning effectiveness compare to something like trufflehog?
  3. What's the relative noisiness for our monorepo?

If any of these answers are in the negative direction, we may want to consider disabling this subcommand by default.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be disabled by default.

  1. It's slower than trufflehog.
  2. It's about the same, I think.
  3. Almost none - it has the added benefit of default ignoring our many fake secrets in test files.

Despite these, it has a few benefits over trufflehog - you can define your own regexes to search for and you can define regexes to not alert on (e.g. if you only use AWS keys, you can only search for those, making this tool faster). I think having trufflehog enabled for everybody, and then trivy secret scanning available but disabled by default for users looking to customize their secret scanning further is the best way to go.

output: sarif
run:
trivy fs ${target} --scanners secret --format json --no-progress --cache-dir
${shared_cachedir}
success_codes: [0]
read_output_from: stdout
# Trivy does not support batching
batch: false
is_security: true
enabled: false
parser:
runtime: python
run: python3 ${plugin}/linters/trivy/trivy_fs_secret_to_sarif.py
- name: config
files: [docker, yaml, terraform]
output: sarif
run: trivy config ${target} --format json --cache-dir ${shared_cachedir}
success_codes: [0]
Expand All @@ -53,6 +71,7 @@ lint:
parser:
runtime: python
run: python3 ${plugin}/linters/trivy/trivy_config_to_sarif.py
direct_configs: [trivy-secret.yaml]
version_command:
parse_regex: Version ${semver}
run: trivy --version
Expand Down
50 changes: 50 additions & 0 deletions linters/trivy/test_data/secrets.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# This aws key is an example and not a real key.
aws_access_key_id = "AKIAXYZDQCEN4EXAMPLE"
aws_secret_access_key = "Tg0pz8Jii8hkLx4+PnUisM8GmKs3a2DK+EXAMPLE"

# The below keys are copied from https://github.com/dustin-decker/secretsandstuff
github_secret = "369963c1434c377428ca8531fbc46c0c43d037a0"

basic_auth = "https://admin:[email protected]/basic_auth"

priv_key = """
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAjNIZuun
xgLkM8KuzfmQuRAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQDe3Al0EMPz
utVNk5DixaYrGMK56RqUoqGBinke6SWVWmqom1lBcJWzor6HlnMRPPr7YCEsJKL4IpuVwu
inRa5kdtNTyM7yyQTSR2xXCS0fUItNuq8pUktsH8VUggpMeew8hJv7rFA7tnIg3UXCl6iF
OLZKbDA5aa24idpcD8b1I9/RzTOB1fu0of5xd9vgODzGw5JvHQSJ0FaA42aNBMGwrDhDB3
sgnRNdWf6NNIh8KpXXMKJADf3klsyn6He8L2bPMp8a4wwys2YB35p5zQ0JURovsdewlOxH
NT7eP19eVf4dCreibxUmRUaob5DEoHEk8WrxjKWIYUuLeD6AfcW6oXyRU2Yy8Vrt6SqFl5
WAi47VMFTkDZYS/eCvG53q9UBHpCj7Qvb0vSkCZXBvBIhlw193F3PX4WvO1IXsMwvQ1D1X
lmomsItbqM0cJyKw6LU18QWiBHvE7BqcphaoL5E08W2ATTSRIMCp6rt4rptM7KyGK8rc6W
UYrCnWt6KlCA8AAAWQXk+lVx6bH5itIKKYmQr6cR/5xtZ2GHAxnYtvlW3xnGhU0MHv+lJ2
uoWlT2RXE5pdMUQj7rNWAMqkwifSKZs9wBfYeo1TaFDmC3nW7yHSN3XTuO78mPIW5JyvmE
Rj5qjsUn7fNmzECoAxnVERhwnF3KqUBEPzIAc6/7v/na9NTiiGaJPco9lvCoPWbVLN08WG
SuyU+0x5zc3ebzuPcYqu5/c5nmiGxhALrIhjIS0OV1mtAAFhvdMjMIHOijOzSKVCC7rRk5
kG9EMLNvOn/DUVSRHamw5gs2V3V+Zq2g5nYWfgq8aDSTB8XlIzOj1cz3HwfN6pfSNQ/3Qe
wOQfWfTWdO+JSL8aoBN5Wg8tDbgmvmbFrINsJfFfSm0wZgcHhC7Ul4U3v4c8PoNdK9HXwi
TKKzJ9nxLYb+vDh50cnkseu2gt0KwVpjIorxEqeK755mKPao3JmOMr6uFTQsb+g+ZNgPwl
nRHA4Igx+zADFj3twldnKIiRpBQ5J4acur3uQ+saanBTXgul1TiFiUGT2cnz+IiCsdPovg
TAMt868W5LmzpfH4Cy54JtaRC4/UuMnkTGbWgutVDnWj2stOAzsQ1YmhH5igUmc94mUL+W
8vQDCKpeI8n+quDS9zxTvy4L4H5Iz7OZlh0h6N13BDvCYXKcNF/ugkfxZbu8mZsZQQzXNR
wOrEtKoHc4AnXYNzsuHEoEyLyJxGfFRDSTLbyN9wFOS/c0k9Gjte+kQRZjBVGORE5sN6X3
akUnTF76RhbEc+LamrwM1h5340bwosRbR8I+UrsQdFfJBEj1ZSyMRJlMkFUNi6blt7bhyx
ea+Pm2A614nlYUBjw2KKzzn8N/0H2NpJjIptvDsbrx3BS/rKwOeJwavRrGnIlEzuAag4vx
Zb2TPVta45uz7fQP5IBl83b0BJKI5Zv/fniUeLI78W/UsZqb64YQbfRyBzFtI1T/SsCi0B
e0EyKMzbxtSceT1Mb8eJiVIq04Xpwez9fIUt5rSedZD8KPq8P6s0cGsR7Qmw6eXZ/dBR/a
s5vPhfIUmQawmnwAVuWNRdQQ79jUBSn5M+ZRVVTgEG+vFyvxr/bZqOo1JCoq5BmQhLWGRJ
Dk9TolbeFIVFrkuXkcu99a079ux7XSkON64oPzHrcsEzjPA1GPqs9CGBSO16wq/nI3zg+E
kcOCaurc9yHJJPwduem0+8WLX3WoGNfQRKurtQze2ppy8KarEtDhDd96sKkhYaqOg3GOX8
Yx827L4vuWSJSIqKuO2kH6kOCMUNO16piv0z/8u3CJxOGh9+4FZIop81fiFTKLhV3/gwLm
fzFY++KIZrLfZcUjzd80NNEja69F452Eb9HrI5BurN/PznDEi9bzM598Y7beyl4/kd4R2e
S7SW9/LOrGw5UgxtiU+kV8nPz1PdgxO4sRlnntSBEwkQBzMkLOpq2h2BuJ2TlMP/TWuwLQ
sDkv1Yk1pD0roGmtMzbujnURGxqRJ8gUmuIot4hpfyRSssvnRQQZ3lQCQCwHiE+HJxXWf5
c58zOMjW7o21tI8e13uUnbRoQVJM9XYqk1usPXIkYPYL9uOw3AW/Zn+cnDrsXvTK9ZxgGD
/90b1BNwVqMlUK+QggHNwl5qD8eoXK5cDvav66te+E+V7FYFQ06w3tytRVz8SjoaiChN02
muIjvl6G7Hoj1hObM2t/ZheN1EShS11z868hhS6Mx7GvIdtkXuvdiBYMiBLOshJQxB8Mzx
iug9W+Di3upLf0UMC1TqADGphsIHRU7RbmHQ8Rwp7dogswmDfpRSapPt9p0D+6Ad5VBzi3
f3BPXj76UBLMEJCrZR1P28vnAA7AyNHaLvMPlWDMG5v3V/UV+ugyFcoBAOyjiQgYST8F3e
Hx7UPVlTK8dyvk1Z+Yw0nrfNClI=
-----END OPENSSH PRIVATE KEY-----
"""
56 changes: 56 additions & 0 deletions linters/trivy/test_data/trivy_v0.37.1_config.check.shot
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
// Jest Snapshot v1, https://goo.gl/fbAQLP

exports[`Testing linter trivy test config 1`] = `
{
"issues": [],
"lintActions": [
{
"command": "config",
"fileGroupName": "yaml",
"linter": "trivy",
"paths": [
".trunk/trunk.yaml",
],
"verb": "TRUNK_VERB_CHECK",
},
{
"command": "config",
"fileGroupName": "yaml",
"linter": "trivy",
"paths": [
"plugin.yaml",
],
"verb": "TRUNK_VERB_CHECK",
},
{
"command": "config",
"fileGroupName": "terraform",
"linter": "trivy",
"paths": [
"test_data/aws.tf",
],
"verb": "TRUNK_VERB_CHECK",
},
{
"command": "config",
"fileGroupName": "docker",
"linter": "trivy",
"paths": [
"test_data/basic.Dockerfile",
],
"verb": "TRUNK_VERB_CHECK",
},
{
"command": "config",
"fileGroupName": "yaml",
"linter": "trivy",
"paths": [
"test_data/basic.yaml",
],
"verb": "TRUNK_VERB_CHECK",
},
],
"taskFailures": [],
"unformattedFiles": [],
}
`;
Loading