How to exclude paths? #77
Description
I read the documentation and found that I can exclude certain paths by appending them to exclude_paths.
Trying to evaluate this tool, I found the following false positive:
{
"Image Layer ID": "xxxxxxxxxxx",
"Matched Rule ID": 135,
"Matched Rule Name": "Contains a private key",
"Matched Part": "contents",
"String to Match": "",
"Signature to Match": "-----BEGIN (EC|RSA|DSA|OPENSSH|PGP) PRIVATE KEY",
"Severity": "medium",
"Severity Score": 5.08,
"Starting Index of Match in Original Content": 0,
"Relative Starting Index of Match in Displayed Substring": 0,
"Relative Ending Index of Match in Displayed Substring": 26,
"Full File Name": "usr/local/share/.cache/yarn/v6/npm-proxy-agent-5.0.0-d31405c10d6e8431fde96cba7a0c027ce01d633b-integrity/node_modules/proxy-agent/test/ssl-cert-snakeoil.key",
"Matched Contents": "-----BEGIN RSA PRIVATE KEY-----"
},While there's a private key in the path, it's added to the container by the repo's dependencies. So inorder to remove any detection of secrets in the usr/local/share/.cache path, I appended it to exclude_paths list:
Snippet:
# Secret Scanner Configuration File
blacklisted_strings: ["node_modules"] # skip matches containing any of these strings (case sensitive)
blacklisted_extensions: [".exe", ".jpg", ".jpeg", ".png", ".gif", ".bmp", ".tiff", ".tif", ".psd", ".xcf", ".zip", ".tar.gz", ".ttf", ".lock", ".pem"]
blacklisted_paths: ["{sep}var{sep}lib{sep}docker", "{sep}var{sep}lib{sep}containerd", "{sep}var{sep}lib{sep}containers", "{sep}var{sep}lib{sep}crio", "{sep}var{sep}run{sep}containers", "{sep}bin", "{sep}boot", "{sep}dev", "{sep}lib", "{sep}lib64", "{sep}media", "{sep}proc", "{sep}run", "{sep}sbin", "{sep}usr{sep}lib", "{sep}sys", "{sep}home{sep}kubernetes"]
exclude_paths: ["{sep}var{sep}lib{sep}docker", "{sep}var{name_sep}lib{name_sep}docker","{sep}var{sep}lib{sep}containerd", "{sep}var{name_sep}lib{name_sep}containerd", "{sep}usr{sep}local{sep}share{sep}.cache"] # use {sep} for the OS' path seperator and {name_sep} for - (i.e. / or \)
signatures:
- part: 'extension'
And ran the command: docker run -it --rm --name=deepfence-secretscanner -v $(pwd):/home/deepfence/output -v /var/run/docker.sock:/var/run/docker.sock deepfenceio/deepfence_secret_scanner:latest -image-name <image>:latest --config-path secretscanner (where the config.yaml is saved in secretscanner directory).
SecretScanner still detects this path and the false positive.
PS: I tried using {name_sep} instead of {sep}, and tried adding the path to blacklisted_strings and blacklisted_paths. Nothing worked so far.