Add secret scanning to trivy-fs and trivy-image scanners (#213)

JonathanSerafini · web-flow · commit 63ea2f515d5b · 2025-10-31T13:07:38.000-04:00
diff --git a/scanners/boostsecurityio/trivy-fs/module.yaml b/scanners/boostsecurityio/trivy-fs/module.yaml
@@ -4,6 +4,7 @@ id: boostsecurityio/trivy-fs
 name: Trivy (Filesystem scanning)
 namespace: boostsecurityio/trivy-fs
 scan_types:
+  - secrets
   - sca
 
 config:
@@ -106,18 +107,19 @@ steps:
           TRIVY_ADDITIONAL_ARGS: ${TRIVY_ADDITIONAL_ARGS---ignore-unfixed}
           TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
           TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
+          TRIVY_SCANNERS: vuln,secret
         run: >
           $SETUP_PATH/trivy fs 
           ${TRIVY_ADDITIONAL_ARGS} 
           --format json
           --no-progress
-          --scanners vuln
+          --scanners ${TRIVY_SCANNERS}
           --skip-version-check 
           . 2>&1
       format: sarif
       post-processor:
         docker:
-          image: public.ecr.aws/boostsecurityio/boost-scanner-trivy:fba2c2b@sha256:42514869cb1ad36e13bd51e55523de6a767104094ec9e99391de89835a388dfd
+          image: public.ecr.aws/boostsecurityio/boost-scanner-trivy:b990ceb@sha256:d4871661744790add629604c85b396458e54cec780ac881a5c3e4fa9fd1dde22
           command: process
           environment:
             PYTHONIOENCODING: utf-8
diff --git a/scanners/boostsecurityio/trivy-fs/rules.yaml b/scanners/boostsecurityio/trivy-fs/rules.yaml
@@ -1,2 +1,3 @@
 import:
   - boostsecurityio/sca-cve
+  - boostsecurityio/stored-secrets
diff --git a/scanners/boostsecurityio/trivy-image/module.yaml b/scanners/boostsecurityio/trivy-image/module.yaml
@@ -4,6 +4,7 @@ id: boostsecurityio/trivy-image
 name: Trivy (Image scanning)
 namespace: boostsecurityio/trivy-image
 scan_types:
+  - secrets
   - sca_container
 
 config:
@@ -60,18 +61,19 @@ steps:
           TRIVY_ADDITIONAL_ARGS: ${TRIVY_ADDITIONAL_ARGS---ignore-unfixed}
           TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
           TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
+          TRIVY_SCANNERS: vuln,secret
         run: >
           $SETUP_PATH/trivy image 
           ${TRIVY_ADDITIONAL_ARGS} 
           --format json 
-          --scanners vuln
+          --scanners ${TRIVY_SCANNERS}
           --skip-version-check 
           --quiet 
           ${BOOST_IMAGE_NAME}
       format: sarif
       post-processor:
         docker:
-          image: public.ecr.aws/boostsecurityio/boost-scanner-trivy:fba2c2b@sha256:42514869cb1ad36e13bd51e55523de6a767104094ec9e99391de89835a388dfd
+          image: public.ecr.aws/boostsecurityio/boost-scanner-trivy:b990ceb@sha256:d4871661744790add629604c85b396458e54cec780ac881a5c3e4fa9fd1dde22
           command: process
           workdir: /code
           environment:
diff --git a/scanners/boostsecurityio/trivy-image/rules.yaml b/scanners/boostsecurityio/trivy-image/rules.yaml
@@ -1,3 +1,5 @@
+import:
+  - boostsecurityio/stored-secrets
 rules:
   cve-unknown:
     categories:

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`import:`
`2`	`2`	`- boostsecurityio/sca-cve`
	`3`	`+ - boostsecurityio/stored-secrets`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+import:`
	`2`	`+ - boostsecurityio/stored-secrets`
`1`	`3`	`rules:`
`2`	`4`	`cve-unknown:`
`3`	`5`	`categories:`