aquasecurity/trivy
Secret scanning
Active contributors: knqyf263, simar7
Purpose
Trivy's secret scanner looks for hard-coded credentials — AWS keys, GitHub tokens, private keys, generic high-entropy strings — in source files and image layers. It runs as one of the analyzers in the fanal walker, which means it sees every file Trivy already opens, with no separate pass.
How it works
The scanner is a regex-and-heuristics matcher driven by built-in rules at pkg/fanal/secret/builtin-rules.go (~32,000 lines including patterns and metadata). For each rule, the scanner checks the regex against the file content; matched candidates are then run through allow-rules at builtin-allow-rules.go to filter common false positives (test fixtures, base64 example data, etc.).
graph LR
Walker[fanal walker] --> Sec[secret analyzer]
Sec --> Rules[builtin-rules.go]
Rules --> Match[regex match]
Match --> Allow[builtin-allow-rules.go]
Allow -->|kept| Finding[types.SecretFinding]
Allow -->|filtered| Drop
Finding --> Result[Result.Secrets]pkg/fanal/secret/scanner.go is the entrypoint. It supports custom rule sets via --secret-config. Configuration uses YAML; the schema is documented in the user docs.
Rule shape
Each built-in rule has:
ID(e.g.,aws-secret-access-key).TitleandSeverity.- A
Regex(the matcher) and an optionalKeywordsarray (used as a cheap pre-filter). - A
SecretGroupName(which capture group is the actual secret). - An
Pathregex that restricts the rule to certain file paths.
Allow-rules are pattern matches that suppress findings (e.g., a path matching ^test/).
Configuration
| Flag | Purpose |
|---|---|
--scanners secret |
Enable secret scanning. |
--secret-config <path> |
Custom rule set. |
--severity |
Filter by severity. |
Inline ignores (# trivy:ignore:secret/aws-secret-access-key) work the same way as the IaC ignore comments. .trivyignore accepts secret/<rule-id> lines.
Output
Findings live in types.Result.Secrets with fields like RuleID, Category, Severity, Title, StartLine, EndLine, Match (the masked secret), and Layer. The reported value is masked — Trivy never echoes the full secret to stdout.
Integration points
- fanal — the secret scanner is a regular analyzer.
- Image scanning — secrets in image layers count as findings on the layer they were introduced.
Entry points for modification
- Add a built-in rule — append to
pkg/fanal/secret/builtin-rules.go(regex + metadata). PRs are welcome upstream; the bar is "low false-positive rate on real codebases". - Add a built-in allow-rule —
builtin-allow-rules.go. Use this rather than altering the rule's regex. - Custom user rules — write a YAML file and pass it with
--secret-config. No code change required.
Key source files
| File | Purpose |
|---|---|
pkg/fanal/secret/scanner.go |
Matcher + custom-rule loader. |
pkg/fanal/secret/builtin-rules.go |
Built-in rule corpus. |
pkg/fanal/secret/builtin-allow-rules.go |
False-positive filters. |
pkg/fanal/analyzer/secret/ |
Analyzer wrapper that registers the secret scanner with fanal. |
pkg/types/secret.go |
SecretFinding type. |
See also
- fanal — the analyzer registry that runs this scanner.
- Vulnerability scanning — the sibling feature.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.