Open-Source Wikis

/

Trivy

/

Features

/

Secret scanning

aquasecurity/trivy

Secret scanning

Active contributors: knqyf263, simar7

Purpose

Trivy's secret scanner looks for hard-coded credentials — AWS keys, GitHub tokens, private keys, generic high-entropy strings — in source files and image layers. It runs as one of the analyzers in the fanal walker, which means it sees every file Trivy already opens, with no separate pass.

How it works

The scanner is a regex-and-heuristics matcher driven by built-in rules at pkg/fanal/secret/builtin-rules.go (~32,000 lines including patterns and metadata). For each rule, the scanner checks the regex against the file content; matched candidates are then run through allow-rules at builtin-allow-rules.go to filter common false positives (test fixtures, base64 example data, etc.).

graph LR
    Walker[fanal walker] --> Sec[secret analyzer]
    Sec --> Rules[builtin-rules.go]
    Rules --> Match[regex match]
    Match --> Allow[builtin-allow-rules.go]
    Allow -->|kept| Finding[types.SecretFinding]
    Allow -->|filtered| Drop
    Finding --> Result[Result.Secrets]

pkg/fanal/secret/scanner.go is the entrypoint. It supports custom rule sets via --secret-config. Configuration uses YAML; the schema is documented in the user docs.

Rule shape

Each built-in rule has:

  • ID (e.g., aws-secret-access-key).
  • Title and Severity.
  • A Regex (the matcher) and an optional Keywords array (used as a cheap pre-filter).
  • A SecretGroupName (which capture group is the actual secret).
  • An Path regex that restricts the rule to certain file paths.

Allow-rules are pattern matches that suppress findings (e.g., a path matching ^test/).

Configuration

Flag Purpose
--scanners secret Enable secret scanning.
--secret-config <path> Custom rule set.
--severity Filter by severity.

Inline ignores (# trivy:ignore:secret/aws-secret-access-key) work the same way as the IaC ignore comments. .trivyignore accepts secret/<rule-id> lines.

Output

Findings live in types.Result.Secrets with fields like RuleID, Category, Severity, Title, StartLine, EndLine, Match (the masked secret), and Layer. The reported value is masked — Trivy never echoes the full secret to stdout.

Integration points

  • fanal — the secret scanner is a regular analyzer.
  • Image scanning — secrets in image layers count as findings on the layer they were introduced.

Entry points for modification

  • Add a built-in rule — append to pkg/fanal/secret/builtin-rules.go (regex + metadata). PRs are welcome upstream; the bar is "low false-positive rate on real codebases".
  • Add a built-in allow-rulebuiltin-allow-rules.go. Use this rather than altering the rule's regex.
  • Custom user rules — write a YAML file and pass it with --secret-config. No code change required.

Key source files

File Purpose
pkg/fanal/secret/scanner.go Matcher + custom-rule loader.
pkg/fanal/secret/builtin-rules.go Built-in rule corpus.
pkg/fanal/secret/builtin-allow-rules.go False-positive filters.
pkg/fanal/analyzer/secret/ Analyzer wrapper that registers the secret scanner with fanal.
pkg/types/secret.go SecretFinding type.

See also

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Secret scanning – Trivy wiki | Factory