Trivy Secret Detection Enabled By Default Since v0.27.0
Trivy v0.27.0 added secret detection enabled by default. This can be extremely slow for larger images, and is causing scan timeouts / failures.
Since GitLab has another scanner for secret detection, should Trivy be doing secret detection as well? The below flag can be used to only scan for vulnerabilities. Can this either be exposed, or can the default be to just scan for vulnerabilities?
--security-checks value comma-separated list of what security issues to detect (vuln,config,secret) (default: "vuln,secret") [$TRIVY_SECURITY_CHECKS]
We are temporarily working around this issue by pinning to a version that contains Trivy v0.26.0.
container_scanning:
# Image tag 4.6.14 contains Trivy 0.26.0, avoiding timeout bug in Trivy 0.27.0.
image: registry.gitlab.com/security-products/container-scanning:4.6.14
Implementation plan
-
Use --security-checks
to disable secret scanning in Trivy 0.27.0+
Edited by Thiago Figueiró