Trivy detects secret in trivy's own cached policies

[oschroeder8]

IDs

aws-access-key-id

Description

I noticed that since Monday afternoon trivy filesystem scans are failing on Rocky 8 and 9 when the [misconfig] built-in checks are updated.

Here is an example of the latest trivy (v0.57.1) failing to download the latest trivy-checks update and the scan passing:

[root@trivy-test-r9 ~]# /root/bin/trivy fs --db-repository public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db --scanners vuln,secret,misconfig --exit-code 1 --severity CRITICAL /
2024-11-20T12:15:50-06:00       INFO    Adding schema version to the DB repository for backward compatibility   repository="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-20T12:15:50-06:00       INFO    Adding schema version to the DB repository for backward compatibility   repository="ghcr.io/aquasecurity/trivy-db:2"
2024-11-20T12:15:50-06:00       INFO    [vuln] Vulnerability scanning is enabled
2024-11-20T12:15:50-06:00       INFO    [misconfig] Misconfiguration scanning is enabled
2024-11-20T12:15:50-06:00       INFO    [misconfig] Need to update the built-in checks
2024-11-20T12:15:50-06:00       INFO    [misconfig] Downloading the built-in checks...
2024-11-20T12:15:51-06:00       ERROR   [misconfig] Falling back to embedded checks     err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 746.935µs, allowed: 44000/minute\n\n"
2024-11-20T12:15:51-06:00       INFO    [secret] Secret scanning is enabled
2024-11-20T12:15:51-06:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-20T12:15:51-06:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-20T12:16:10-06:00       INFO    Detected OS     family="rocky" version="9.4"
2024-11-20T12:16:10-06:00       INFO    [rocky] Detecting vulnerabilities...    os_version="9" pkg_num=489
2024-11-20T12:16:10-06:00       INFO    Number of language-specific files       num=0
2024-11-20T12:16:10-06:00       INFO    Detected config files   num=0

trivy-test-r9 (rocky 9.4)

Total: 0 (CRITICAL: 0)

Here is an example of the trivy-checks download succeeding and then a plaintext secret is detected in trivy's own cached policies:

[root@trivy-test-r9 ~]# /root/bin/trivy fs --db-repository public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db --scanners vuln,secret,misconfig --exit-code 1 --severity CRITICAL /
2024-11-20T12:16:57-06:00       INFO    Adding schema version to the DB repository for backward compatibility   repository="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-20T12:16:57-06:00       INFO    Adding schema version to the DB repository for backward compatibility   repository="ghcr.io/aquasecurity/trivy-db:2"
2024-11-20T12:16:57-06:00       INFO    [vuln] Vulnerability scanning is enabled
2024-11-20T12:16:57-06:00       INFO    [misconfig] Misconfiguration scanning is enabled
2024-11-20T12:16:57-06:00       INFO    [misconfig] Need to update the built-in checks
2024-11-20T12:16:57-06:00       INFO    [misconfig] Downloading the built-in checks...
201.91 KiB / 201.91 KiB [--------------------------------------------------------------------------] 100.00% ? p/s 100ms
2024-11-20T12:16:57-06:00       INFO    [secret] Secret scanning is enabled
2024-11-20T12:16:57-06:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-20T12:16:57-06:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-20T12:17:17-06:00       INFO    Detected OS     family="rocky" version="9.4"
2024-11-20T12:17:17-06:00       INFO    [rocky] Detecting vulnerabilities...    os_version="9" pkg_num=489
2024-11-20T12:17:17-06:00       INFO    Number of language-specific files       num=0
2024-11-20T12:17:17-06:00       INFO    Detected config files   num=0

trivy-test-r9 (rocky 9.4)

Total: 0 (CRITICAL: 0)


root/.cache/trivy/policy/content/policies/cloud/policies/aws/ecs/no_plaintext_secrets.yaml (secrets)

Total: 1 (CRITICAL: 1)

CRITICAL: AWS (aws-access-key-id)
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
AWS Access Key ID
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 root/.cache/trivy/policy/content/policies/cloud/policies/aws/ecs/no_plaintext_secrets.yaml:57
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  55                 - Environment:
  56                     - Name: AWS_ACCESS_KEY_ID
  57 [                     Value: ********************
  58                   Image: cfsec/cfsec:latest
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

This is not being deployed in AWS and there is no AWS_ACCESS_KEY_ID variable present in the environment variables or in any other files.

I am seeing this issue with Rocky 8.10 and 9.4. I did not have this issue until about 2 days ago. I thought it might be related to the v0.57.1 release, which included some AWS updates, but v0.57.0 does the same thing.

Reproduction Steps

1. Install trivy using the install.sh script into /root folder
2. Run trivy filesystem scan with above command line
3. If trivy-checks download fails, the `.cache/trivy/policy/content/policies/cloud/policies/aws/ecs/` folder does not exist
4. If trivy-checks does download, trivy seems to be caching these files and then detecting a problem in the bad example section.

Target

Filesystem

Scanner

Secret

Target OS

Rocky 8.10 and Rocky 9.4

Debug Output

[root@trivy-test-r9 ~]# /root/bin/trivy fs --db-repository public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db --scanners vuln,secret,misconfig --exit-code 1 --severity CRITICAL --debug /
2024-11-20T15:32:36-06:00       DEBUG   No plugins loaded
2024-11-20T15:32:36-06:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2024-11-20T15:32:36-06:00       DEBUG   Cache dir       dir="/root/.cache/trivy"
2024-11-20T15:32:36-06:00       DEBUG   Cache dir       dir="/root/.cache/trivy"
2024-11-20T15:32:36-06:00       INFO    Adding schema version to the DB repository for backward compatibility   repository="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-20T15:32:36-06:00       INFO    Adding schema version to the DB repository for backward compatibility   repository="ghcr.io/aquasecurity/trivy-db:2"
2024-11-20T15:32:36-06:00       DEBUG   Parsed severities       severities=[CRITICAL]
2024-11-20T15:32:36-06:00       DEBUG   Ignore statuses statuses=[]
2024-11-20T15:32:36-06:00       DEBUG   DB update was skipped because the local DB is the latest
2024-11-20T15:32:36-06:00       DEBUG   DB info schema=2 updated_at=2024-11-20T12:18:25.816456516Z next_update=2024-11-21T12:18:25.816456156Z downloaded_at=2024-11-20T18:13:14.358828266Z
2024-11-20T15:32:36-06:00       DEBUG   [pkg] Package types     types=[os library]
2024-11-20T15:32:36-06:00       DEBUG   [pkg] Package relationships     relationships=[unknown root direct indirect]
2024-11-20T15:32:36-06:00       INFO    [vuln] Vulnerability scanning is enabled
2024-11-20T15:32:36-06:00       INFO    [misconfig] Misconfiguration scanning is enabled
2024-11-20T15:32:36-06:00       DEBUG   [misconfig] Checks successfully loaded from disk
2024-11-20T15:32:36-06:00       INFO    [secret] Secret scanning is enabled
2024-11-20T15:32:36-06:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-20T15:32:36-06:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-20T15:32:36-06:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-11-20T15:32:36-06:00       DEBUG   Initializing scan cache...      type="memory"
2024-11-20T15:32:36-06:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2024-11-20T15:32:36-06:00       DEBUG   Skipping path   path="dev"
2024-11-20T15:32:37-06:00       DEBUG   Skipping path   path="proc"
2024-11-20T15:32:38-06:00       DEBUG   Skipping path   path="sys"
2024-11-20T15:32:54-06:00       DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Helm"
2024-11-20T15:32:54-06:00       DEBUG   [rego] Overriding filesystem for checks
2024-11-20T15:32:54-06:00       DEBUG   [rego] Embedded libraries are loaded    count=15
2024-11-20T15:32:55-06:00       DEBUG   [rego] Embedded checks are loaded       count=509
2024-11-20T15:32:55-06:00       DEBUG   [rego] Checks from disk are loaded      count=524
2024-11-20T15:32:55-06:00       DEBUG   [rego] Overriding filesystem for data
2024-11-20T15:32:55-06:00       INFO    Detected OS     family="rocky" version="9.4"
2024-11-20T15:32:55-06:00       INFO    [rocky] Detecting vulnerabilities...    os_version="9" pkg_num=489
2024-11-20T15:32:55-06:00       INFO    Number of language-specific files       num=0
2024-11-20T15:32:55-06:00       INFO    Detected config files   num=0
2024-11-20T15:32:55-06:00       DEBUG   Secret file     file_path="etc/pki/tls/private/sendmail.key"
2024-11-20T15:32:55-06:00       DEBUG   Secret file     file_path="etc/ssh/ssh_host_ecdsa_key"
2024-11-20T15:32:55-06:00       DEBUG   Secret file     file_path="etc/ssh/ssh_host_ed25519_key"
2024-11-20T15:32:55-06:00       DEBUG   Secret file     file_path="etc/ssh/ssh_host_rsa_key"
2024-11-20T15:32:55-06:00       DEBUG   Secret file     file_path="root/.cache/trivy/policy/content/policies/cloud/policies/aws/ecs/no_plaintext_secrets.yaml"
2024-11-20T15:32:55-06:00       DEBUG   [vex] VEX filtering is disabled

trivy-test-r9 (rocky 9.4)

Total: 0 (CRITICAL: 0)


root/.cache/trivy/policy/content/policies/cloud/policies/aws/ecs/no_plaintext_secrets.yaml (secrets)

Total: 1 (CRITICAL: 1)

CRITICAL: AWS (aws-access-key-id)
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
AWS Access Key ID
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 root/.cache/trivy/policy/content/policies/cloud/policies/aws/ecs/no_plaintext_secrets.yaml:57
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  55                 - Environment:
  56                     - Name: AWS_ACCESS_KEY_ID
  57 [                     Value: ********************
  58                   Image: cfsec/cfsec:latest
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Version

[root@trivy-test-r9 ~]# trivy --version
Version: 0.57.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-11-20 12:18:25.816456516 +0000 UTC
  NextUpdate: 2024-11-21 12:18:25.816456156 +0000 UTC
  DownloadedAt: 2024-11-20 18:13:14.358828266 +0000 UTC
Check Bundle:
  Digest: sha256:6127ec64475c78cd2b044cc0acd585584f8386136f9f78353f151300192fdf59
  DownloadedAt: 2024-11-20 18:16:57.832585026 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[alismx]

I'm experiencing this while using the GitHub action. My config is as follows.

Workflow config:

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/[email protected]
        with:
          scan-type: 'fs'
          scan-ref: .
          scanners: 'vuln,secret,misconfig'
          ignore-unfixed: false
          exit-code: '1'
          format: 'table'
          severity: 'CRITICAL,HIGH'

Output:

...
.cache/trivy/policy/content/policies/cloud/policies/aws/ecs/no_plaintext_secrets.yaml (secrets)
===============================================================================================
Total: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: AWS (aws-access-key-id)
════════════════════════════════════════
AWS Access Key ID
────────────────────────────────────────
 .cache/trivy/policy/content/policies/cloud/policies/aws/ecs/no_plaintext_secrets.yaml:57
────────────────────────────────────────
  55                 - Environment:
  56                     - Name: AWS_ACCESS_KEY_ID
  57 [                     Value: ********************
  58                   Image: cfsec/cfsec:latest
────────────────────────────────────────

[simar7]

@nikpivkin I think this is probably due to the new examples being pulled into the bundle as they're yaml and trivy scanning on them. Could you take a look?

[nikpivkin]

Right

[nikpivkin]

Opened a PR for a fix aquasecurity/trivy-checks#292

[simar7]

We've released a new bundle that should fix this https://github.com/aquasecurity/trivy-checks/releases/tag/v1.3.1