Finding Sensitive Files #7773
-
QuestionI'm trying to add common sensitive files that I've come across on assessments, but the documentation (from what I can tell) doesn't describe how to just look for a file or variations of a file. For example, if I want to look for .env (or variations such as .env.prod, .env.dev), what is the YAML format for that? TargetFilesystem ScannerSecret Output FormatNone ModeStandalone Operating SystemLinux VersionVersion: 0.56.2
Vulnerability DB:
Version: 2
UpdatedAt: 2024-10-21 12:18:07.171964626 +0000 UTC
NextUpdate: 2024-10-22 12:18:07.171964146 +0000 UTC
DownloadedAt: 2024-10-21 13:11:34.780887648 +0000 UTC |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
You can pass glob patterns like so https://aquasecurity.github.io/trivy/v0.56/docs/configuration/skipping/#advanced-globbing But as mentioned, it isn't supported today for secret scanning. Is that what you are trying to do? |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the reply. But yeah, I was using it with secret scanning. Does --file-patterns alert upon finding the file? I used the docker example it gave (docker:.*.docker) and made a test file and it didn't alert on it. Will it only alert if there is sensitive info inside of that file? |
Beta Was this translation helpful? Give feedback.
-
|
You can write a custom rule matching |
Beta Was this translation helpful? Give feedback.
You can write a custom rule matching
*.env.https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret/#configuration