aquasecurity/trivy

fix: scan `.git/config` for secrets

Open

#6.699 geöffnet am 16. Mai 2024

Auf GitHub ansehen
 (2 Kommentare) (5 Reaktionen) (1 zugewiesene Person)Go (371 Forks)batch import
help wantedscan/secret

Repository-Metriken

Stars
 (35.000 Stars)
PR-Merge-Metriken
 (Durchschn. Merge 5T 2h) (53 gemergte PRs in 30 T)

Beschreibung

Description

Trivy currently skips **/.git for efficiency. https://github.com/aquasecurity/trivy/blob/88702cfd5918b093defc5b5580f7cbf16f5f2417/pkg/fanal/walker/walk.go#L18

However, .git/config could sometimes include credentials (see https://github.com/aquasecurity/trivy/pull/5180#discussion_r1601445169). These directories shouldn't be skipped.

Contributor Guide