Some secret detection regexes expect the value to be surrounded by quotes

[nikpivkin]

Discussed in https://github.com/aquasecurity/trivy/discussions/6785

^{Originally posted by **asankov** May 27, 2024} ### Description I am playing around with the secret detection features and I see that some matchers like [`grafana-api-token`](https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go#L536), [`hashicorp-tf-api-token`](https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go#L544) and others expect that the value of the token is surrounded by quotes `['\"]`. This means that If I have a file like this: ```yaml grafana: token: eyJrIjoiNjQyOT... ``` or ```env GRAFANA_TOKEN=eyJrIjoiNjQyOT... ``` the value would not be detected by the scanner. What is the reason to expect them to be like that? ### Desired Behavior The token is matched regardless of whether the value is surrounded by quotes or not. ### Actual Behavior Token is not matched unless value is in quotes. ### Reproduction Steps ```bash 1. Create a YAML or .env file similar to the one I provided in the description of the issue. 2. Run it via the secret detector 3. Observe that no findings are reported ``` ### Target Filesystem ### Scanner Secret ### Output Format None ### Mode None ### Debug Output ```bash $ trivy fs secrets --debug 2024-05-27T13:40:23+03:00 DEBUG Parsed severities severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL] 2024-05-27T13:40:23+03:00 DEBUG Ignore statuses statuses=[] 2024-05-27T13:40:23+03:00 DEBUG Cache dir dir="/Users/asankov/Library/Caches/trivy" 2024-05-27T13:40:23+03:00 DEBUG DB update was skipped because the local DB is the latest 2024-05-27T13:40:23+03:00 DEBUG DB info schema=2 updated_at=2024-05-27T06:12:09.854561954Z next_update=2024-05-27T12:12:09.854561794Z downloaded_at=2024-05-27T10:39:59.156462Z 2024-05-27T13:40:23+03:00 INFO Vulnerability scanning is enabled 2024-05-27T13:40:23+03:00 DEBUG Vulnerability type type=[os library] 2024-05-27T13:40:23+03:00 INFO Secret scanning is enabled 2024-05-27T13:40:23+03:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-05-27T13:40:23+03:00 INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection 2024-05-27T13:40:23+03:00 DEBUG Enabling misconfiguration scanners scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot] 2024-05-27T13:40:23+03:00 DEBUG [secret] No secret config detected config_path="trivy-secret.yaml" 2024-05-27T13:40:23+03:00 DEBUG [nuget] The nuget packages directory couldn't be found. License search disabled 2024-05-27T13:40:23+03:00 DEBUG OS is not detected. 2024-05-27T13:40:23+03:00 DEBUG Detected OS: unknown 2024-05-27T13:40:23+03:00 INFO Number of language-specific files num=0 ``` ### Operating System macOS ### Version ```bash Version: 0.51.4 Vulnerability DB: Version: 2 UpdatedAt: 2024-05-27 06:12:09.854561954 +0000 UTC NextUpdate: 2024-05-27 12:12:09.854561794 +0000 UTC DownloadedAt: 2024-05-27 10:39:59.156462 +0000 UTC ``` ### Checklist - [X] Run `trivy image --reset` - [X] Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)

[asankov]

Do you want me to contribute a fix?

It will be trivial to make the quotes optional.

[nikpivkin]

@asankov Thanks for your interest! Trivy is open for contributions https://github.com/aquasecurity/trivy/blob/main/CONTRIBUTING.md