Skip to content

Instantly share code, notes, and snippets.

@za

za/trivy-hardcoded-secrets.md

Created November 28, 2023 09:38
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save za/c450a137078280e4feb6dd35d2e3e9aa to your computer and use it in GitHub Desktop.
Save za/c450a137078280e4feb6dd35d2e3e9aa to your computer and use it in GitHub Desktop.
Download ZIP
Example of Trivy output when scanning for hardcoded secrets
Raw
trivy-hardcoded-secrets.md

Command:

$ git clone https://github.com/trufflesecurity/node-app-with-canary-token/
$ cd node-app-with-canary-token/
$ docker build -t node-app-with-canary-token .

Then run Trivy with secret scanning enabled:

➜  node-app-with-canary-token git:(main) trivy image --scanners secret node-app-with-canary-token

2023-11-28T16:34:33.330+0700    INFO    Secret scanning is enabled
2023-11-28T16:34:33.330+0700    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-28T16:34:33.330+0700    INFO    Please see also https://aquasecurity.github.io/trivy/v0.47/docs/scanner/secret/#recommendation for faster secret detection

/app/.env (secrets)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)

CRITICAL: AWS (aws-access-key-id)
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
AWS Access Key ID
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 /app/.env:2 (added by 'COPY . . # buildkit')
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   [default]
   2 [ aws_access_key_id = ********************
   3   aws_secret_access_key = ****************************************
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


CRITICAL: AWS (aws-secret-access-key)
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
AWS Secret Access Key
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 /app/.env:3 (added by 'COPY . . # buildkit')
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   [default]
   2   aws_access_key_id = ********************
   3 [ aws_secret_access_key = ****************************************
   4   output = json
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment