Hi, I used this tool to scan an image whose size is 26.83GB, then I received a fatal error:

scanImage: Could not save container image: exit status 1. Check if the image name is correct. main: error while scanning image: exit status 1 panic: Fatal error....

goroutine 1 [running]: github.com/deepfence/SecretScanner/core.(*Logger).Log(0x4000800f5b, 0x5, {0x1094c61, 0x24}, {0xc00045dee8, 0x1, 0x1}) /home/deepfence/src/SecretScanner/core/log.go:68 +0x25e github.com/deepfence/SecretScanner/core.(*Logger).Fatal(...) /home/deepfence/src/SecretScanner/core/log.go:73 main.runOnce() /home/deepfence/src/SecretScanner/main.go:108 +0x145 main.main() /home/deepfence/src/SecretScanner/main.go:148 +0x114

• I would expect that if "{sep}var{sep}lib{sep}docker" is included in blacklisted_paths that the contents of /var/lib/docker will not be scanned
• However, when scanning docker images, baseDir = /tmp/Deepfence/SecretScanning/df_<image_name><imagetag>/ExtractedFiles which means that /var/lib/docker is not skipped
• Removing baseDir from the IsSkippableDir check also allows for matching multiple directories with one pattern
  • If this is seen as undesirable then we could always use strings.HasPrefix

Love the software and am keen to use it in CI pipelines but need to be able to effectively ignore directories to control false positives 🙂

I'm getting this error:

output/output.go:11:2: github.com/deepfence/[email protected] (replaced by ./agent-plugins-grpc): reading agent-plugins-grpc/go.mod: open /go/src/github.com/deepfence/SecretScanner/agent-plugins-grpc/go.mod: no such file or directory

Hi,

I'm running the SecretScanner in local mode using the docker image: docker run --rm -v /tmp/vulnerable_repo:/target -v /tmp/test_sec:/artifacts deepfenceio/deepfence_secret_scanner -config-path /artifacts -debug-level DEBUG -multi-match -maximum-file-size 512 -max-multi-match 5 -json-filename report.json -output-path /artifacts -local /target

The tool works perfectly, and it detect all the repository secrets.

But in some cases the target repositories may contain files with meta attributes. For example:

{
    "mariadb": {
        "host": "MARIADB_HOST",
        "port": "MARIADB_PORT",
        "rootMariaPwd": "MYSQL_ROOT_PASSWORD_EXAMPLE",
    },
}

I'm triying to whitelist all the matches containing the string _EXAMPLE with no success:

# Secret Scanner Configuration File

blacklisted_extensions: []
blacklisted_paths: []
blacklisted_strings:
- _EXAMPLE

signatures:
- name: Generic credentials
  part: contents
  regex: (?i)(?:'|"){0,1}(?:[a-z0-9\-_.]{0,25})(?:key|api|apikey|token|secret|client|pass|pwd|passwd|password|auth|cred|authentication)(?:[0-9a-z\-_\s.]{0,20})(?:'|"){0,1}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=){0,5}([0-9a-z\-_\.=:@!]{8,512})['|\"|\n|\r|\s]
  regextype: 'large'
  severity: high
  severityscore: 10

Is there something wrong with my configuration ? or it is a SecretScanner bug ?

Building the docker image fails when trying to compile hyperscan:

$ docker build --rm=true --tag=deepfenceio/secretscanning:latest -f Dockerfile .

[snip]

#6 341.4 [ 54%] Building CXX object CMakeFiles/hs_compile.dir/src/nfagraph/ng_literal_decorated.cpp.o
#6 341.6 [ 54%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/nfa/truffle.c.o
#6 343.6 [ 54%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/som/som_runtime.c.o
#6 343.9 [ 54%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/som/som_stream.c.o
#6 344.3 [ 54%] Building CXX object CMakeFiles/hs_compile.dir/src/nfagraph/ng_mcclellan.cpp.o
#6 345.9 [ 54%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/nfa/sheng.c.o
#6 346.6 [ 54%] Building CXX object CMakeFiles/hs_compile.dir/src/nfagraph/ng_limex.cpp.o
#6 347.0 [ 54%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/rose/block.c.o
#6 347.5 [ 55%] Building CXX object CMakeFiles/hs_compile.dir/src/nfagraph/ng_limex_accel.cpp.o
#6 348.8 [ 55%] Building CXX object CMakeFiles/hs_compile.dir/src/nfagraph/ng_misc_opt.cpp.o
#6 350.8 [ 55%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/nfa/shufti.c.o
#6 350.8 [ 55%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/rose/catchup.c.o
#6 353.6 [ 55%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/nfa/tamarama.c.o
#6 389.1 c++: internal compiler error: Killed (program cc1plus)
#6 389.1 Please submit a full bug report,
#6 389.1 with preprocessed source if appropriate.
#6 389.1 See <file:///usr/share/doc/gcc-7/README.Bugs> for instructions.
#6 389.1 CMakeFiles/hs_compile.dir/build.make:1536: recipe for target 'CMakeFiles/hs_compile.dir/src/nfagraph/ng_mcclellan.cpp.o' failed
#6 389.1 make[2]: *** [CMakeFiles/hs_compile.dir/src/nfagraph/ng_mcclellan.cpp.o] Error 4
#6 389.1 make[2]: *** Waiting for unfinished jobs....
#6 389.2 [ 56%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/rose/init.c.o
#6 392.1 [ 56%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/nfa/truffle.c.o
#6 392.3 [ 57%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/som/som_runtime.c.o
#6 392.3 [ 57%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/som/som_stream.c.o
#6 392.3 [ 57%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/rose/stream.c.o
#6 393.0 [ 57%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/rose/match.c.o
#6 394.3 CMakeFiles/Makefile2:512: recipe for target 'CMakeFiles/hs_compile.dir/all' failed
#6 394.3 make[1]: *** [CMakeFiles/hs_compile.dir/all] Error 2
#6 394.3 [ 57%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/rose/block.c.o
#6 394.8 [ 57%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/rose/catchup.c.o
#6 395.1 [ 57%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/rose/init.c.o
#6 398.7 [ 57%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/rose/program_runtime.c.o
#6 398.9 [ 57%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/util/multibit.c.o
#6 399.9 [ 57%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/rose/stream.c.o
#6 400.1 [ 58%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/rose/match.c.o
#6 400.2 [ 58%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/rose/program_runtime.c.o
#6 403.2 [ 58%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/util/multibit.c.o
#6 404.2 [ 58%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/util/simd_utils.c.o
#6 406.8 [ 58%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/util/state_compress.c.o
#6 408.1 [ 58%] Building C object CMakeFiles/hs_exec_shared_core2.dir/src/database.c.o
#6 408.1 [ 58%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/util/simd_utils.c.o
#6 408.4 [ 59%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/util/state_compress.c.o
#6 411.4 [ 59%] Building C object CMakeFiles/hs_exec_shared_corei7.dir/src/database.c.o
#6 421.1 [ 59%] Built target hs_exec_shared_corei7
#6 421.3 [ 59%] Built target hs_exec_shared_core2
#6 421.3 make: *** [all] Error 2
#6 421.3 Makefile:129: recipe for target 'all' failed
------
executor failed running [/bin/sh -c mkdir -p /usr/local/include/ &&     cd /usr/local/include/ &&     git clone https://github.com/intel/hyperscan.git &&     mkdir /usr/local/include/hs &&     cd /usr/local/include/hs &&     export MAKEFLAGS=-j$(nproc) &&     cmake -DBUILD_STATIC_AND_SHARED=1 /usr/local/include/hyperscan &&     echo "/usr/local/lib" | tee --append /etc/ld.so.conf.d/usrlocal.conf &&     cd /usr/local/include/hs && make && make install]: exit code: 2

I'm relatively new to docker, so if you can provide the steps to grab any log files you might be interested in, I'm happy to do so. Pulling the docker image from docker hub appears to work fine, and is a valid workaround.

Hi I saw blacklisted_paths in config.yaml I use customization content pattern, but result is not skip blacklisted_paths path Does blacklisted_paths work on scan image mode?

See:

Initializing....
flag provided but not defined: -json-file
Usage of /home/deepfence/usr/SecretScanner:
  -config-path string
        Searches for config.yaml from given directory. If not set, tries to find it from SecretScanner binary's and current directory
  -container-id string
        Id of existing container ID
  -container-ns string
        Namespace of existing container to scan, empty for docker runtime
  -debug-level string
        Debug levels are one of FATAL, ERROR, IMPORTANT, WARN, INFO, DEBUG. Only levels higher than the debug-level are displayed (default "ERROR")
  -host-mount-path string
        If scanning the host, specify the host mount path for path exclusions to work correctly.
  -http-port string
  -image-name string
        Name of the image along with tag to scan for secrets
  -json-filename string
        Output json file name. If not set, it will automatically create a filename based on image or dir name
  -local string
        Specify local directory (absolute path) which to scan. Scans only given directory recursively.
  -max-multi-match uint
        Maximum number of matches of same pattern in one file. This is used only when multi-match option is enabled. (default 3)
  -max-secrets uint
        Maximum number of secrets to find in one container image or file system. (default 1000)
  -maximum-file-size uint
        Maximum file size to process in KB (default 256)
  -multi-match
        Output multiple matches of same pattern in one file. By default, only one match of a pattern is output for a file for better performance
  -output-path string
        Output directory where json file will be stored. If not set, it will output to current directory (default ".")
  -socket-path string
        The gRPC server unix socket path
  -temp-directory string
        Directory to process and store repositories/matches (default "/tmp")
  -threads int
        Number of concurrent threads (default number of logical CPUs)

Correct-one (printed by binary as well): --json-filename

This PR allows for multiple config paths to be specified, and adds the --merge-configs flag. When multiple paths are specified, and the merge is enabled, it joins the configs together, layering each config on top of the default config.

Additionally it adds the ability to specify the full path to a config file, not just the directory containing a config file. This means you can do --config-path some/path/nonstandard.yaml

Closes #71

Hi, I try to use blacklisted_paths to ignore some dir when using image scan, but it not work.

In IsSkippableDir function, use path var to compare with skippablePathIndicator var that read from blacklisted_paths, I try to print path to I get some path problem.

For example: If I want to ignore /bin path, code will compare both two string by use HasPrefix But in image scan feature, path output is like this: /tmp/Deepfence/SecretScanning/df_demoimage4/ExtractedFiles/<layer_id>/bin This is reason that I this blacklisted_paths not work So I try use TrimPrefix to let path like this: Original /tmp/Deepfence/SecretScanning/df_demoimage4/ExtractedFiles/<layer_id>/bin After TrimPrefix /bin It will work on IsSkippableDir function, and can successful ignore blacklisted_paths by use image scan

The secret scanner process running inside agent gets Killed on VM 143.198.68.242 Process log:

      "Full File Name": "/fenced/mnt/host/var/snap/docker/common/var-lib-docker/overlay2/5043b3ac304141297e67251e1ce08efd890a2e0b738a4fdc0087daee3d95ca9c/diff/var/log/dpkg.log",
      "Matched Contents": ".log"
    }

Killed

top:

   PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND                                                                                                                       
1375878 root      20   0 1404896  40476  22884 D  19.3   1.0   0:13.14 SecretScanner  

The memory % and cpu usage does not grow with time. Issue has been produced only in this VM

root@bb1:~# SecretScanner -image-name worker1
Initializing....
Scanning image worker1 for secrets...
scanImage: Could save container image failed to save image: invalid output path: directory "/tmp/Deepfence/SecretScanning/df_worker1" does not exist

findSecretsInImage: failed to save image: invalid output path: directory "/tmp/Deepfence/SecretScanning/df_worker1" does not exist

main: error while scanning image: failed to save image: invalid output path: directory "/tmp/Deepfence/SecretScanning/df_worker1" does not exist

panic: Fatal error....

goroutine 1 [running]:
github.com/deepfence/SecretScanner/core.(*Logger).Log(0x7ffc1c756662, 0x5, {0x56cb7e, 0x24}, {0xc00033ff50, 0x1, 0x1})
	/root/go/src/github.com/deepfence/SecretScanner/core/log.go:68 +0x25e
github.com/deepfence/SecretScanner/core.(*Logger).Fatal(...)
	/root/go/src/github.com/deepfence/SecretScanner/core/log.go:73
main.main()
	/root/go/src/github.com/deepfence/SecretScanner/main.go:139 +0x14c

Ubuntu 20 go version go1.17.6 linux/amd64

Running make static creates a static binary in the current folder which can be placed in /usr/bin Sample commands:

SecretScanner -local ~/.aws/ -quiet=false -config-path /home/ubuntu/SecretScanner/
SecretScanner -quiet=false -image-name ubuntu/redis:latest -config-path /home/ubuntu/SecretScanner/
SecretScanner -quiet=false -config-path /home/ubuntu/SecretScanner/ -container-id mystifying_newton

$ go get github.com/deepfence/SecretScanner go: downloading github.com/deepfence/SecretScanner v1.1.2 go: github.com/deepfence/SecretScanner upgrade => v1.1.2 go get: github.com/deepfence/[email protected] requires github.com/deepfence/[email protected]: invalid version: unknown revision 000000000000

What is the problem here? May I have the latest updated the documentation or can you fix the go.mod file?

idea :- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/managing-alerts-from-secret-scanning | need same feature using our secretscanner | ---> how to :- SARIF support for secret scanning using github action

I read the documentation and found that I can exclude certain paths by appending them to exclude_paths.

Trying to evaluate this tool, I found the following false positive:

    {
      "Image Layer ID": "xxxxxxxxxxx",
      "Matched Rule ID": 135,
      "Matched Rule Name": "Contains a private key",
      "Matched Part": "contents",
      "String to Match": "",
      "Signature to Match": "-----BEGIN (EC|RSA|DSA|OPENSSH|PGP) PRIVATE KEY",
      "Severity": "medium",
      "Severity Score": 5.08,
      "Starting Index of Match in Original Content": 0,
      "Relative Starting Index of Match in Displayed Substring": 0,
      "Relative Ending Index of Match in Displayed Substring": 26,
      "Full File Name": "usr/local/share/.cache/yarn/v6/npm-proxy-agent-5.0.0-d31405c10d6e8431fde96cba7a0c027ce01d633b-integrity/node_modules/proxy-agent/test/ssl-cert-snakeoil.key",
      "Matched Contents": "-----BEGIN RSA PRIVATE KEY-----"
    },

While there's a private key in the path, it's added to the container by the repo's dependencies. So inorder to remove any detection of secrets in the usr/local/share/.cache path, I appended it to exclude_paths list:

Snippet:

# Secret Scanner Configuration File

blacklisted_strings: ["node_modules"] # skip matches containing any of these strings (case sensitive)
blacklisted_extensions: [".exe", ".jpg", ".jpeg", ".png", ".gif", ".bmp", ".tiff", ".tif", ".psd", ".xcf", ".zip", ".tar.gz", ".ttf", ".lock", ".pem"]
blacklisted_paths: ["{sep}var{sep}lib{sep}docker", "{sep}var{sep}lib{sep}containerd", "{sep}var{sep}lib{sep}containers", "{sep}var{sep}lib{sep}crio", "{sep}var{sep}run{sep}containers", "{sep}bin", "{sep}boot", "{sep}dev", "{sep}lib", "{sep}lib64", "{sep}media", "{sep}proc", "{sep}run", "{sep}sbin", "{sep}usr{sep}lib", "{sep}sys", "{sep}home{sep}kubernetes"]
exclude_paths: ["{sep}var{sep}lib{sep}docker", "{sep}var{name_sep}lib{name_sep}docker","{sep}var{sep}lib{sep}containerd", "{sep}var{name_sep}lib{name_sep}containerd", "{sep}usr{sep}local{sep}share{sep}.cache"] # use {sep} for the OS' path seperator and {name_sep} for -  (i.e. / or \)

signatures:
  - part:  'extension'

And ran the command: docker run -it --rm --name=deepfence-secretscanner -v $(pwd):/home/deepfence/output -v /var/run/docker.sock:/var/run/docker.sock deepfenceio/deepfence_secret_scanner:latest -image-name <image>:latest --config-path secretscanner (where the config.yaml is saved in secretscanner directory).

SecretScanner still detects this path and the false positive.

PS: I tried using {name_sep} instead of {sep}, and tried adding the path to blacklisted_strings and blacklisted_paths. Nothing worked so far.

Design and develop docker extension for SecretScanner with following features.

• Ability to list all images present locally
• Ability to run secret scan on selected image
• Result in human readable table format instead of JSON
• In-depth details of each scan result

passing a flag like, -container-runtime or -cr during runtime would reduce the overall time taken to scan images when underlying runtime is known to user.