trivy icon indicating copy to clipboard operation
trivy copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

Detect secrets in container environment variables

Open rcarpio-hbo opened this issue 2 years ago • 8 comments

Scan container images for secrets present in the container environment variables.

Example Dockerfile with AWS secret:

FROM node:12.22.12-slim
 
ENV AWS_SECRET_ACCESS_KEY erHSKM98c+afa418tkewJRjsdaJMxuiSgOExample

rcarpio-hbo avatar May 30 '22 14:05 rcarpio-hbo

I think we can expand the scope of this issue to "detect secrets in misconfiguration scanning"?

itaysk avatar Jun 01 '22 16:06 itaysk

We already detect secrets in any file, so secrets in Dockerfile can be detected now. I guess this feature request means scanning secrets in the config of container images.

$ docker inspect golang:1.18.0 | jq '.[0].Config.Env'
[
  "PATH=/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
  "GOLANG_VERSION=1.18",
  "GOPATH=/go"
]

knqyf263 avatar Jun 01 '22 16:06 knqyf263

What I meant with this issue was that trivy image does not discover the secret. Likewise, trivy config neither.

Some test that I did:

Having the following Dockerfile:

FROM node:12.22.12-slim
 
ENV AWS_SECRET_ACCESS_KEY erHSKM98c+afa418tkewJRjsdaJMxuiSgOExample
  • trivy fs Dockerfile.env 
Dockerfile.env (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

┌──────────┬───────────────────┬──────────┬─────────┬───────────────────────────────┐
│ Category │    Description    │ Severity │ Line No │             Match             │
├──────────┼───────────────────┼──────────┼─────────┼───────────────────────────────┤
│   AWS    │ AWS Access Key ID │ CRITICAL │    3    │ # ENV AWS_ACCESS_KEY_ID ***** │
└──────────┴───────────────────┴──────────┴─────────┴───────────────────────────────┘
  • trivy config Dockerfile.env 
Dockerfile.env (dockerfile)

Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  • trivy image --security-checks secret test_env 
None

rcarpio-hbo avatar Jun 02 '22 15:06 rcarpio-hbo

Yes, that is what I said. It is scanning config of images.

knqyf263 avatar Jun 02 '22 18:06 knqyf263

The secret is also part of the image history, not just the configuration.

gliwka avatar Jun 29 '22 12:06 gliwka

@knqyf263 are you planning to implement this feature in the near future?

rcarpio-hbo avatar Jul 04 '22 13:07 rcarpio-hbo

No, but we welcome any contribution.

knqyf263 avatar Jul 04 '22 13:07 knqyf263

related to issue: https://github.com/aquasecurity/trivy/issues/2676 If we would infer the dockerfile of an image, we could scan it for exposed secrets as well

itaysk avatar Sep 20 '22 10:09 itaysk

The secret is also part of the image history, not just the configuration.

FYI: The image configuration includes history as well.

knqyf263 avatar Jan 30 '23 03:01 knqyf263