Giters

deepfence / SecretScanner

:unlock: :unlock: Find secrets and passwords in container images and file systems :unlock: :unlock:

Home Page:https://deepfence.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

How to exclude paths?

Chan9390 opened this issue · comments

commented

I read the documentation and found that I can exclude certain paths by appending them to exclude_paths.

Trying to evaluate this tool, I found the following false positive:

    {
      "Image Layer ID": "xxxxxxxxxxx",
      "Matched Rule ID": 135,
      "Matched Rule Name": "Contains a private key",
      "Matched Part": "contents",
      "String to Match": "",
      "Signature to Match": "-----BEGIN (EC|RSA|DSA|OPENSSH|PGP) PRIVATE KEY",
      "Severity": "medium",
      "Severity Score": 5.08,
      "Starting Index of Match in Original Content": 0,
      "Relative Starting Index of Match in Displayed Substring": 0,
      "Relative Ending Index of Match in Displayed Substring": 26,
      "Full File Name": "usr/local/share/.cache/yarn/v6/npm-proxy-agent-5.0.0-d31405c10d6e8431fde96cba7a0c027ce01d633b-integrity/node_modules/proxy-agent/test/ssl-cert-snakeoil.key",
      "Matched Contents": "-----BEGIN RSA PRIVATE KEY-----"
    },

While there's a private key in the path, it's added to the container by the repo's dependencies. So inorder to remove any detection of secrets in the usr/local/share/.cache path, I appended it to exclude_paths list:

Snippet:

# Secret Scanner Configuration File

blacklisted_strings: ["node_modules"] # skip matches containing any of these strings (case sensitive)
blacklisted_extensions: [".exe", ".jpg", ".jpeg", ".png", ".gif", ".bmp", ".tiff", ".tif", ".psd", ".xcf", ".zip", ".tar.gz", ".ttf", ".lock", ".pem"]
blacklisted_paths: ["{sep}var{sep}lib{sep}docker", "{sep}var{sep}lib{sep}containerd", "{sep}var{sep}lib{sep}containers", "{sep}var{sep}lib{sep}crio", "{sep}var{sep}run{sep}containers", "{sep}bin", "{sep}boot", "{sep}dev", "{sep}lib", "{sep}lib64", "{sep}media", "{sep}proc", "{sep}run", "{sep}sbin", "{sep}usr{sep}lib", "{sep}sys", "{sep}home{sep}kubernetes"]
exclude_paths: ["{sep}var{sep}lib{sep}docker", "{sep}var{name_sep}lib{name_sep}docker","{sep}var{sep}lib{sep}containerd", "{sep}var{name_sep}lib{name_sep}containerd", "{sep}usr{sep}local{sep}share{sep}.cache"] # use {sep} for the OS' path seperator and {name_sep} for -  (i.e. / or \)

signatures:
  - part:  'extension'

And ran the command: docker run -it --rm --name=deepfence-secretscanner -v $(pwd):/home/deepfence/output -v /var/run/docker.sock:/var/run/docker.sock deepfenceio/deepfence_secret_scanner:latest -image-name <image>:latest --config-path secretscanner (where the config.yaml is saved in secretscanner directory).

SecretScanner still detects this path and the false positive.

PS: I tried using {name_sep} instead of {sep}, and tried adding the path to blacklisted_strings and blacklisted_paths. Nothing worked so far.

commented

@deviprasad303 please take a look

commented

@Chan9390 please add usr{sep}local{sep}share{sep}.cache inside blacklist path. There should not be {sep} at the start of the path. please also add usr{sep}local{sep}share{sep}.cache in the exclude path . the exclude path removes everything that contains the given subpath

commented

@Chan9390 can you check if it works out for you?