Trufflehog not reporting secrets in docker metadata file

[venkatasandeeplade]

Please review the Community Note before submitting

TruffleHog Version

└─$ trufflehog --version trufflehog 3.78.2

Trace Output

Sorry to say , we can't share as per organisation policy Command used trufflehog docker --image=xxxxx.dkr.ecr.us-west-2.amazonaws.com/xx/aiops-pii-mask:1234_abcd_1234

Expected Behavior

Trufflehog should report the secrets exposed in docker config.json/metadata file

Actual Behavior

We have some JFROG passwords in docker metadata / layer information. Trufflehog not reporting them

Environment

• OS:
• └─$ cat cat /etc/os-release PRETTY_NAME="Kali GNU/Linux Rolling" NAME="Kali GNU/Linux" VERSION_ID="2024.1" VERSION="2024.1" VERSION_CODENAME=kali-rolling ID=kali ID_LIKE=debian HOME_URL="https://www.kali.org/" SUPPORT_URL="https://forums.kali.org/" BUG_REPORT_URL="https://bugs.kali.org/" ANSI_COLOR="1;31"
• Version [e.g. 22]

[v3gard]

Related to #2940

[AlfredBerg]

I'm facing the same issue. The current implementation seems to only scan the created_by field of the config metadata and e.g. not the envs https://github.com/trufflesecurity/trufflehog/blob/3b0b2909ca94209ad753f0eccfd185e8be0f3d62/pkg/sources/docker/docker.go#L278

Trufflehog seems to already be using https://github.com/google/go-containerregistry/, which has a tool called crane that can get this docker config data, so should not be impossible to scan the whole config instead. Might have a go at creating a pull request.

https://github.com/google/go-containerregistry/tree/main/cmd/crane

$ crane config nginx | jq
{
  "architecture": "amd64",
  "config": {
    "ExposedPorts": {
      "80/tcp": {}
    },
    "Env": [
      "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
      "NGINX_VERSION=1.27.1",
      "NJS_VERSION=0.8.5",
      "NJS_RELEASE=1~bookworm",
      "PKG_RELEASE=1~bookworm",
      "DYNPKG_RELEASE=2~bookworm"
    ],
    "Entrypoint": [
      "/docker-entrypoint.sh"
    ],
    "Cmd": [
...