-
Notifications
You must be signed in to change notification settings - Fork 176
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trivy client server mode not scanning secrets exposed in image, Trivy standalone works. #1836
Comments
@gsingh737 thanks for the input, I'll have a look. |
@chen-keinan gsingh737/nginxwithsecret:v1 its public on dockerhub. |
@gsingh737 sorry for getting late to this, I have tried scanning you image with trivy 0.51.1, image mode and did not got any results: trivy image gsingh737/nginxwithsecret:v1 --image-config-scanners secret --scanners secret
2024-05-20T11:55:30+03:00 INFO Container image config scanners scanners=[secret]
2024-05-20T11:55:30+03:00 INFO Secret scanning is enabled
2024-05-20T11:55:30+03:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-20T11:55:30+03:00 INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection am I missing anything ? |
@jemag does it works for you in client/server mode: AND
|
Related aquasecurity/trivy#6742 |
@jemag , thanks for checking it out, I have made several tests and got mixed result. |
What steps did you take and what happened:
Running Trivy operator with these ENV values
Built a Dockerfile with following
Running a pod in cluster with Trivy Operator running with Trivy server in Client/Server Mode
Exposed Secret Report is not catching any secret.
[A clear and concise description of what the bug is, and what commands you ran.]
What did you expect to happen:
Expected Trivy operator to catch exposed secrets.
Anything else you would like to add:
Running in standalone Trivy image scan catches exposed secrets using Trivy cli i.e
trivy image --image-config-scanners secret --scanners secret --timeout 10m nginxwithsecret:v1
When running Trivy cli using Trivy Server, its back to not catching those secrets for the same image.
trivy image --server http://localhost:4954 --image-config-scanners secret --scanners secret --timeout 10m nginxwithsecret:v1
This issue was also reported here
#1297 and was thought to be fixed in #1301
But I believe the fix is addressing FS mode scanning not image scanning as fix was only put in
func (p *plugin) getFSScanningArgs(ctx trivyoperator.PluginContext, command Command, mode Mode, trivyServerURL string) []string
Environment:
trivy-operator version
): 0.18.3 Chart version: 0.20.4kubectl version
): v1.27.7The text was updated successfully, but these errors were encountered: