aquasecurity/trivy

fix: scan `.git/config` for secrets

Open

#6,699 建立於 2024年5月16日

在 GitHub 查看
 (2 留言) (5 反應) (1 負責人)Go (35,000 star) (371 fork)batch import
help wantedscan/secret

描述

Description

Trivy currently skips **/.git for efficiency. https://github.com/aquasecurity/trivy/blob/88702cfd5918b093defc5b5580f7cbf16f5f2417/pkg/fanal/walker/walk.go#L18

However, .git/config could sometimes include credentials (see https://github.com/aquasecurity/trivy/pull/5180#discussion_r1601445169). These directories shouldn't be skipped.

貢獻者指南

技術棧
go
領域
security
議題類型
bug
難度面向新貢獻者的預計實作難度,1 表示很小改動,5 表示專家級工作。
3
預計時間有經驗貢獻者完成調查、實作、測試並準備 pull request 的粗略時間範圍。
1-3 hours
活動狀態議題目前的可參與程度:新鮮、活躍、陳舊、阻塞或等待維護者輸入。
active
清晰度議題是否清楚說明預期改動、驗收標準和下一步。
clear
前置要求
Go programmingBasic understanding of Trivy scanningKnowledge of .git directory structure
新手友善度1-100 的估計分數,表示該議題對首次貢獻者的友善程度。
60
研究方向
The issue is to modify the walker in `pkg/fanal/walker/walk.go` (line 18) to not skip `.git/config` while still skipping other `.git` directories for efficiency. Review the linked PR discussion (#5180) for context on why `.git` is skipped. The change should ensure that only the `.git/config` file is included, not the entire `.git` directory, to maintain performance. Check if there are any existing tests for the walker and add a test case for scanning `.git/config`.