github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/pkg/fanal/analyzer/imgconf/secret/secret.go (about) 1 package secret 2 3 import ( 4 "context" 5 "encoding/json" 6 7 "golang.org/x/xerrors" 8 9 "github.com/devseccon/trivy/pkg/fanal/analyzer" 10 "github.com/devseccon/trivy/pkg/fanal/secret" 11 "github.com/devseccon/trivy/pkg/fanal/types" 12 "github.com/devseccon/trivy/pkg/log" 13 ) 14 15 const analyzerVersion = 1 16 17 func init() { 18 analyzer.RegisterConfigAnalyzer(analyzer.TypeImageConfigSecret, newSecretAnalyzer) 19 } 20 21 // secretAnalyzer detects secrets in container image config. 22 type secretAnalyzer struct { 23 scanner secret.Scanner 24 } 25 26 func newSecretAnalyzer(opts analyzer.ConfigAnalyzerOptions) (analyzer.ConfigAnalyzer, error) { 27 configPath := opts.SecretScannerOption.ConfigPath 28 c, err := secret.ParseConfig(configPath) 29 if err != nil { 30 return nil, xerrors.Errorf("secret config error: %w", err) 31 } 32 scanner := secret.NewScanner(c) 33 34 return &secretAnalyzer{ 35 scanner: scanner, 36 }, nil 37 } 38 39 func (a *secretAnalyzer) Analyze(_ context.Context, input analyzer.ConfigAnalysisInput) (*analyzer. 40 ConfigAnalysisResult, error) { 41 if input.Config == nil { 42 return nil, nil 43 } 44 b, err := json.MarshalIndent(input.Config, " ", "") 45 if err != nil { 46 return nil, xerrors.Errorf("json marshal error: %w", err) 47 } 48 49 result := a.scanner.Scan(secret.ScanArgs{ 50 FilePath: "config.json", 51 Content: b, 52 }) 53 54 if len(result.Findings) == 0 { 55 log.Logger.Debug("No secrets found in container image config") 56 return nil, nil 57 } 58 59 return &analyzer.ConfigAnalysisResult{ 60 Secret: &result, 61 }, nil 62 } 63 64 func (a *secretAnalyzer) Required(_ types.OS) bool { 65 return true 66 } 67 68 func (a *secretAnalyzer) Type() analyzer.Type { 69 return analyzer.TypeImageConfigSecret 70 } 71 72 func (a *secretAnalyzer) Version() int { 73 return analyzerVersion 74 }