Add secret scanning

Author: cdupuis

sbom/index.go

@@ -132,7 +132,6 @@ func indexImage(cache *registry.ImageCache, cli command.Cli) (*types.Sbom, error
 	}
 
 	sbom := types.Sbom{
-		Artifacts: packages,
 		Source: types.Source{
 			Type: "image",
 			Image: types.ImageSource{
@@ -151,6 +150,8 @@ func indexImage(cache *registry.ImageCache, cli command.Cli) (*types.Sbom, error
 				Size: cache.Source.Image.Metadata.Size,
 			},
 		},
+		Artifacts: packages,
+		Secrets:   trivyResult.Secrets,
 		Descriptor: types.Descriptor{
 			Name:        "docker-index",
 			Version:     internal.FromBuild().Version,

sbom/syft.go

@@ -17,6 +17,7 @@
 package sbom
 
 import (
+	"fmt"
 	"strings"
 
 	"github.com/anchore/packageurl-go"
@@ -133,7 +134,7 @@ type sourcePackage struct {
 
 func toPackage(p pkg2.Package, rels []artifact.Relationship, qualifiers map[string]string, lm *types.LayerMapping, pm packageMapping) []types.Package {
 	pkg := types.Package{
-		Purl:      p.PURL,
+		Purl:      getPURL(p),
 		Licenses:  p.Licenses,
 		Locations: make([]types.Location, 0),
 	}
@@ -249,9 +250,10 @@ func toPackage(p pkg2.Package, rels []artifact.Relationship, qualifiers map[stri
 				}
 
 				pkg.Files = append(pkg.Files, types.Location{
-					Path:   path,
-					DiffId: corr.FileSystemID,
-					Digest: lm.ByDiffId[corr.FileSystemID],
+					Path:    path,
+					Ordinal: lm.OrdinalByDiffId[corr.FileSystemID],
+					DiffId:  corr.FileSystemID,
+					Digest:  lm.ByDiffId[corr.FileSystemID],
 				})
 			}
 		}
@@ -265,9 +267,10 @@ func toPackage(p pkg2.Package, rels []artifact.Relationship, qualifiers map[stri
 		}
 
 		pkg.Locations = append(pkg.Locations, types.Location{
-			Path:   path,
-			DiffId: loc.FileSystemID,
-			Digest: lm.ByDiffId[loc.FileSystemID],
+			Path:    path,
+			Ordinal: lm.OrdinalByDiffId[loc.FileSystemID],
+			DiffId:  loc.FileSystemID,
+			Digest:  lm.ByDiffId[loc.FileSystemID],
 		})
 	}
 
@@ -276,6 +279,7 @@ func toPackage(p pkg2.Package, rels []artifact.Relationship, qualifiers map[stri
 		if loc.Path == "/lib/apk/db/installed" || loc.Path == "/var/lib/dpkg/status" || loc.Path == "/var/lib/rpm/Packages" {
 			if layer, ok := pm[toKey(p)]; ok {
 				// the stereoscope layers use diff_ids internally as their digest
+				pkg.Locations[i].Ordinal = lm.OrdinalByDiffId[layer.Metadata.Digest]
 				pkg.Locations[i].DiffId = layer.Metadata.Digest
 				pkg.Locations[i].Digest = lm.ByDiffId[layer.Metadata.Digest]
 			}
@@ -319,6 +323,18 @@ func toPackage(p pkg2.Package, rels []artifact.Relationship, qualifiers map[stri
 	return []types.Package{pkg}
 }
 
+func getPURL(pkp pkg2.Package) string {
+	if pkp.PURL != "" {
+		return pkp.PURL
+	} else {
+		switch pkp.Type {
+		case "apk":
+			return fmt.Sprintf("pkg:alpine/%s@%s", pkp.Name, pkp.Version)
+		}
+	}
+	return ""
+}
+
 func osQualifiers(release *linux.Release) (types.Distro, map[string]string) {
 	qualifiers := make(map[string]string, 0)
 	distro := types.Distro{}

sbom/trivy.go

@@ -18,6 +18,7 @@ package sbom
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"strings"
 
@@ -31,6 +32,8 @@ import (
 	aimage "github.com/aquasecurity/trivy/pkg/fanal/artifact/image"
 	"github.com/aquasecurity/trivy/pkg/fanal/cache"
 	"github.com/aquasecurity/trivy/pkg/fanal/image"
+	"github.com/aquasecurity/trivy/pkg/fanal/secret"
+	stypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/fanal/utils"
 	"github.com/docker/index-cli-plugin/registry"
 	"github.com/docker/index-cli-plugin/types"
@@ -42,6 +45,7 @@ func trivySbom(cache *registry.ImageCache, lm *types.LayerMapping, resultChan ch
 		Name:     "trivy",
 		Status:   types.Success,
 		Packages: make([]types.Package, 0),
+		Secrets:  make([]types.Secret, 0),
 	}
 
 	defer close(resultChan)
@@ -80,6 +84,53 @@ func trivySbom(cache *registry.ImageCache, lm *types.LayerMapping, resultChan ch
 	}
 
 	a := applier.NewApplier(cacheClient)
+	scanner, err := secret.NewScanner("")
+	if err != nil {
+		result.Status = types.Failed
+		result.Error = errors.Wrap(err, "failed to create secret scanner")
+		resultChan <- result
+		return
+	}
+	config := &cache.Source.Image.Metadata.Config
+	for o, h := range config.History {
+		js, _ := json.MarshalIndent(h, "", "  ")
+		secrets := scanner.Scan(secret.ScanArgs{
+			FilePath: "history",
+			Content:  js,
+		})
+		if len(secrets.Findings) > 0 {
+			result.Secrets = append(result.Secrets, convertSecretFindings(secrets, types.SecretSource{
+				Type: "history",
+				Location: &types.Location{
+					Ordinal: o,
+					Digest:  lm.DigestByOrdinal[o],
+					DiffId:  lm.DiffIdByOrdinal[o],
+				},
+			}))
+		}
+	}
+	for k, v := range config.Config.Labels {
+		secrets := scanner.Scan(secret.ScanArgs{
+			FilePath: "label",
+			Content:  []byte(fmt.Sprintf("%s=%s", k, v)),
+		})
+		if len(secrets.Findings) > 0 {
+			result.Secrets = append(result.Secrets, convertSecretFindings(secrets, types.SecretSource{
+				Type: "label",
+			}))
+		}
+	}
+	for _, l := range config.Config.Env {
+		secrets := scanner.Scan(secret.ScanArgs{
+			FilePath: "env",
+			Content:  []byte(l),
+		})
+		if len(secrets.Findings) > 0 {
+			result.Secrets = append(result.Secrets, convertSecretFindings(secrets, types.SecretSource{
+				Type: "env",
+			}))
+		}
+	}
 	for v := range imageInfo.BlobIDs {
 		mergedLayer, err := a.ApplyLayers(imageInfo.ID, []string{imageInfo.BlobIDs[v]})
 		if err != nil {
@@ -92,6 +143,17 @@ func trivySbom(cache *registry.ImageCache, lm *types.LayerMapping, resultChan ch
 				return
 			}
 		}
+		for _, s := range mergedLayer.Secrets {
+			result.Secrets = append(result.Secrets, convertSecretFindings(s, types.SecretSource{
+				Type: "file",
+				Location: &types.Location{
+					Path:    s.FilePath,
+					Ordinal: lm.OrdinalByDiffId[s.Layer.DiffID],
+					Digest:  s.Layer.Digest,
+					DiffId:  s.Layer.DiffID,
+				},
+			}))
+		}
 		for _, app := range mergedLayer.Applications {
 			switch app.Type {
 			case "gobinary":
@@ -110,9 +172,10 @@ func trivySbom(cache *registry.ImageCache, lm *types.LayerMapping, resultChan ch
 					pkg := types.Package{
 						Purl: purl.String(),
 						Locations: []types.Location{{
-							Path:   "/" + app.FilePath,
-							Digest: lm.ByDiffId[lib.Layer.DiffID],
-							DiffId: lib.Layer.DiffID,
+							Path:    "/" + app.FilePath,
+							Ordinal: lm.OrdinalByDiffId[lib.Layer.DiffID],
+							Digest:  lm.ByDiffId[lib.Layer.DiffID],
+							DiffId:  lib.Layer.DiffID,
 						}},
 					}
 					result.Packages = append(result.Packages, pkg)
@@ -137,9 +200,10 @@ func trivySbom(cache *registry.ImageCache, lm *types.LayerMapping, resultChan ch
 					pkg := types.Package{
 						Purl: purl.String(),
 						Locations: []types.Location{{
-							Path:   "/" + lib.FilePath,
-							Digest: lm.ByDiffId[lib.Layer.DiffID],
-							DiffId: lib.Layer.DiffID,
+							Path:    "/" + lib.FilePath,
+							Ordinal: lm.OrdinalByDiffId[lib.Layer.DiffID],
+							Digest:  lm.ByDiffId[lib.Layer.DiffID],
+							DiffId:  lib.Layer.DiffID,
 						}},
 					}
 					result.Packages = append(result.Packages, pkg)
@@ -148,6 +212,7 @@ func trivySbom(cache *registry.ImageCache, lm *types.LayerMapping, resultChan ch
 			}
 		}
 	}
+
 	resultChan <- result
 }
 
@@ -157,3 +222,25 @@ func initializeCache() (cache.Cache, error) {
 	cacheClient, err = cache.NewFSCache(utils.CacheDir())
 	return cacheClient, err
 }
+
+func convertSecretFindings(s stypes.Secret, source types.SecretSource) types.Secret {
+	secret := types.Secret{
+		Source:   source,
+		Findings: make([]types.SecretFinding, 0),
+	}
+	for _, f := range s.Findings {
+		finding := types.SecretFinding{
+			RuleID:   f.RuleID,
+			Category: string(f.Category),
+			Title:    f.Title,
+			Severity: f.Severity,
+			Match:    f.Match,
+		}
+		if source.Type == "file" {
+			finding.StartLine = f.StartLine
+			finding.EndLine = f.EndLine
+		}
+		secret.Findings = append(secret.Findings, finding)
+	}
+	return secret
+}

types/types.go

@@ -16,7 +16,9 @@
 
 package types
 
-import v1 "github.com/google/go-containerregistry/pkg/v1"
+import (
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+)
 
 type Score struct {
 	Type  string `edn:"vulnerability.reference.score/type" json:"type"`
@@ -69,6 +71,7 @@ type LayerMapping struct {
 type IndexResult struct {
 	Name     string
 	Packages []Package
+	Secrets  []Secret
 	Status   string
 	Error    error
 	Distro   Distro
@@ -98,9 +101,10 @@ type Platform struct {
 }
 
 type Location struct {
-	Path   string `json:"path"`
-	Digest string `json:"digest"`
-	DiffId string `json:"diff_id"`
+	Path    string `json:"path,omitempty"`
+	Ordinal int    `json:"ordinal,omitempty"`
+	Digest  string `json:"digest,omitempty"`
+	DiffId  string `json:"diff_id,omitempty"`
 }
 
 type ImageSource struct {
@@ -129,10 +133,31 @@ type Source struct {
 	BaseImages []BaseImageMatch `json:"base_images,omitempty"`
 }
 
+type Secret struct {
+	Source   SecretSource    `json:"source"`
+	Findings []SecretFinding `json:"findings"`
+}
+
+type SecretSource struct {
+	Type     string    `json:"type"`
+	Location *Location `json:"location,omitempty"`
+}
+
+type SecretFinding struct {
+	RuleID    string `json:"rule_id"`
+	Category  string `json:"category"`
+	Title     string `json:"title"`
+	Severity  string `json:"severity"`
+	StartLine int    `json:"start_line,omitempty"`
+	EndLine   int    `json:"end_line,omitempty"`
+	Match     string `json:"match"`
+}
+
 type Sbom struct {
 	Source          Source                  `json:"source"`
 	Artifacts       []Package               `json:"artifacts"`
 	Vulnerabilities []VulnerabilitiesByPurl `json:"vulnerabilities,omitempty"`
+	Secrets         []Secret                `json:"secrets,omitempty"`
 	Descriptor      Descriptor              `json:"descriptor"`
 }