How to exclude paths?
Chan9390 opened this issue · comments
I read the documentation and found that I can exclude certain paths by appending them to exclude_paths
.
Trying to evaluate this tool, I found the following false positive:
{
"Image Layer ID": "xxxxxxxxxxx",
"Matched Rule ID": 135,
"Matched Rule Name": "Contains a private key",
"Matched Part": "contents",
"String to Match": "",
"Signature to Match": "-----BEGIN (EC|RSA|DSA|OPENSSH|PGP) PRIVATE KEY",
"Severity": "medium",
"Severity Score": 5.08,
"Starting Index of Match in Original Content": 0,
"Relative Starting Index of Match in Displayed Substring": 0,
"Relative Ending Index of Match in Displayed Substring": 26,
"Full File Name": "usr/local/share/.cache/yarn/v6/npm-proxy-agent-5.0.0-d31405c10d6e8431fde96cba7a0c027ce01d633b-integrity/node_modules/proxy-agent/test/ssl-cert-snakeoil.key",
"Matched Contents": "-----BEGIN RSA PRIVATE KEY-----"
},
While there's a private key in the path, it's added to the container by the repo's dependencies. So inorder to remove any detection of secrets in the usr/local/share/.cache
path, I appended it to exclude_paths
list:
Snippet:
# Secret Scanner Configuration File
blacklisted_strings: ["node_modules"] # skip matches containing any of these strings (case sensitive)
blacklisted_extensions: [".exe", ".jpg", ".jpeg", ".png", ".gif", ".bmp", ".tiff", ".tif", ".psd", ".xcf", ".zip", ".tar.gz", ".ttf", ".lock", ".pem"]
blacklisted_paths: ["{sep}var{sep}lib{sep}docker", "{sep}var{sep}lib{sep}containerd", "{sep}var{sep}lib{sep}containers", "{sep}var{sep}lib{sep}crio", "{sep}var{sep}run{sep}containers", "{sep}bin", "{sep}boot", "{sep}dev", "{sep}lib", "{sep}lib64", "{sep}media", "{sep}proc", "{sep}run", "{sep}sbin", "{sep}usr{sep}lib", "{sep}sys", "{sep}home{sep}kubernetes"]
exclude_paths: ["{sep}var{sep}lib{sep}docker", "{sep}var{name_sep}lib{name_sep}docker","{sep}var{sep}lib{sep}containerd", "{sep}var{name_sep}lib{name_sep}containerd", "{sep}usr{sep}local{sep}share{sep}.cache"] # use {sep} for the OS' path seperator and {name_sep} for - (i.e. / or \)
signatures:
- part: 'extension'
And ran the command: docker run -it --rm --name=deepfence-secretscanner -v $(pwd):/home/deepfence/output -v /var/run/docker.sock:/var/run/docker.sock deepfenceio/deepfence_secret_scanner:latest -image-name <image>:latest --config-path secretscanner
(where the config.yaml is saved in secretscanner directory).
SecretScanner still detects this path and the false positive.
PS: I tried using {name_sep}
instead of {sep}
, and tried adding the path to blacklisted_strings
and blacklisted_paths
. Nothing worked so far.
@deviprasad303 please take a look
@Chan9390 please add usr{sep}local{sep}share{sep}.cache inside blacklist path. There should not be {sep} at the start of the path. please also add usr{sep}local{sep}share{sep}.cache in the exclude path . the exclude path removes everything that contains the given subpath
@Chan9390 can you check if it works out for you?