Latest checks database failing for valid Dockerfiles: Secrets passed via build-args or envs or copied secret files

[peetw]

IDs

AVD-DS-0031

Description

After the latest trivy-checks package was released earlier this morning (version 1.2), we have noticed a large number of trivy Dockerfile checks failing with the following error:

Secrets passed via `build-args` or envs or copied secret files

This occurs even for the most minimal Dockerfile possible (see repro steps below).

Passing the --skip-check-update option to trivy resolves the issue, but doesn't seem to be a long-term solution?

Reproduction Steps

1. echo "FROM alpine" > Dockerfile
2. trivy filesystem --scanners misconfig --severity CRITICAL ./Dockerfile

Target

Filesystem

Scanner

Misconfiguration

Target OS

No response

Debug Output

# trivy filesystem --debug -f json --scanners misconfig --severity CRITICAL ./Dockerfile
2024-10-30T14:31:06Z    DEBUG   No plugins loaded
2024-10-30T14:31:06Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2024-10-30T14:31:06Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2024-10-30T14:31:06Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2024-10-30T14:31:06Z    DEBUG   Parsed severities       severities=[CRITICAL]
2024-10-30T14:31:06Z    DEBUG   Ignore statuses statuses=[]
2024-10-30T14:31:06Z    INFO    [misconfig] Misconfiguration scanning is enabled
2024-10-30T14:31:06Z    DEBUG   [misconfig] Checks successfully loaded from disk
2024-10-30T14:31:06Z    DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-10-30T14:31:06Z    DEBUG   Initializing scan cache...      type="memory"
2024-10-30T14:31:06Z    DEBUG   Scanning files for misconfigurations... scanner="Dockerfile"
2024-10-30T14:31:06Z    DEBUG   [rego] Overriding filesystem for checks
2024-10-30T14:31:06Z    DEBUG   [rego] Embedded libraries are loaded    count=13
2024-10-30T14:31:06Z    DEBUG   [rego] Embedded checks are loaded       count=508
2024-10-30T14:31:06Z    DEBUG   [rego] Checks from disk are loaded      count=524
2024-10-30T14:31:06Z    DEBUG   [rego] Overriding filesystem for data
2024-10-30T14:31:06Z    DEBUG   [rego] Scanning inputs  count=1
2024-10-30T14:31:06Z    DEBUG   OS is not detected.
2024-10-30T14:31:06Z    INFO    Detected config files   num=1
2024-10-30T14:31:06Z    DEBUG   Scanned config file     file_path="Dockerfile"
2024-10-30T14:31:06Z    DEBUG   [vex] VEX filtering is disabled
{
  "SchemaVersion": 2,
  "CreatedAt": "2024-10-30T14:31:06.95637568Z",
  "ArtifactName": "Dockerfile",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": "Dockerfile",
      "Class": "config",
      "Type": "dockerfile",
      "MisconfSummary": {
        "Successes": 7,
        "Failures": 13,
        "Exceptions": 0
      },
      "Misconfigurations": [
        {
          "Type": "Dockerfile Security Check",
          "ID": "DS031",
          "AVDID": "AVD-DS-0031",
          "Title": "Secrets passed via `build-args` or envs or copied secret files",
          "Description": "Passing secrets via `build-args` or envs or copying secret files can leak them out",
          "Message": "(?i)(?:_|^)(?:apikey|auth|credential|credentials|key|passwd|password|psw|pword|secret|token|usr)(?:_|$)",
          "Namespace": "builtin.dockerfile.DS031",
          "Query": "data.builtin.dockerfile.DS031.deny_secrets_pattern",
          "Resolution": "Use secret mount if secrets are needed during image build. Use volume mount if secret files are needed during container runtime.",
          "Severity": "CRITICAL",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds031",
          "References": [
            "https://docs.docker.com/build/building/secrets/",
            "https://avd.aquasec.com/misconfig/ds031"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Provider": "Dockerfile",
            "Service": "general",
            "Code": {
              "Lines": null
            }
          }
        },
        {
          "Type": "Dockerfile Security Check",
          "ID": "DS031",
          "AVDID": "AVD-DS-0031",
          "Title": "Secrets passed via `build-args` or envs or copied secret files",
          "Description": "Passing secrets via `build-args` or envs or copying secret files can leak them out",
          "Message": "apikey",
          "Namespace": "builtin.dockerfile.DS031",
          "Query": "data.builtin.dockerfile.DS031.deny_secrets_tokens",
          "Resolution": "Use secret mount if secrets are needed during image build. Use volume mount if secret files are needed during container runtime.",
          "Severity": "CRITICAL",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds031",
          "References": [
            "https://docs.docker.com/build/building/secrets/",
            "https://avd.aquasec.com/misconfig/ds031"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Provider": "Dockerfile",
            "Service": "general",
            "Code": {
              "Lines": null
            }
          }
        },
        {
          "Type": "Dockerfile Security Check",
          "ID": "DS031",
          "AVDID": "AVD-DS-0031",
          "Title": "Secrets passed via `build-args` or envs or copied secret files",
          "Description": "Passing secrets via `build-args` or envs or copying secret files can leak them out",
          "Message": "auth",
          "Namespace": "builtin.dockerfile.DS031",
          "Query": "data.builtin.dockerfile.DS031.deny_secrets_tokens",
          "Resolution": "Use secret mount if secrets are needed during image build. Use volume mount if secret files are needed during container runtime.",
          "Severity": "CRITICAL",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds031",
          "References": [
            "https://docs.docker.com/build/building/secrets/",
            "https://avd.aquasec.com/misconfig/ds031"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Provider": "Dockerfile",
            "Service": "general",
            "Code": {
              "Lines": null
            }
          }
        },
        {
          "Type": "Dockerfile Security Check",
          "ID": "DS031",
          "AVDID": "AVD-DS-0031",
          "Title": "Secrets passed via `build-args` or envs or copied secret files",
          "Description": "Passing secrets via `build-args` or envs or copying secret files can leak them out",
          "Message": "credential",
          "Namespace": "builtin.dockerfile.DS031",
          "Query": "data.builtin.dockerfile.DS031.deny_secrets_tokens",
          "Resolution": "Use secret mount if secrets are needed during image build. Use volume mount if secret files are needed during container runtime.",
          "Severity": "CRITICAL",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds031",
          "References": [
            "https://docs.docker.com/build/building/secrets/",
            "https://avd.aquasec.com/misconfig/ds031"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Provider": "Dockerfile",
            "Service": "general",
            "Code": {
              "Lines": null
            }
          }
        },
        {
          "Type": "Dockerfile Security Check",
          "ID": "DS031",
          "AVDID": "AVD-DS-0031",
          "Title": "Secrets passed via `build-args` or envs or copied secret files",
          "Description": "Passing secrets via `build-args` or envs or copying secret files can leak them out",
          "Message": "credentials",
          "Namespace": "builtin.dockerfile.DS031",
          "Query": "data.builtin.dockerfile.DS031.deny_secrets_tokens",
          "Resolution": "Use secret mount if secrets are needed during image build. Use volume mount if secret files are needed during container runtime.",
          "Severity": "CRITICAL",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds031",
          "References": [
            "https://docs.docker.com/build/building/secrets/",
            "https://avd.aquasec.com/misconfig/ds031"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Provider": "Dockerfile",
            "Service": "general",
            "Code": {
              "Lines": null
            }
          }
        },
        {
          "Type": "Dockerfile Security Check",
          "ID": "DS031",
          "AVDID": "AVD-DS-0031",
          "Title": "Secrets passed via `build-args` or envs or copied secret files",
          "Description": "Passing secrets via `build-args` or envs or copying secret files can leak them out",
          "Message": "key",
          "Namespace": "builtin.dockerfile.DS031",
          "Query": "data.builtin.dockerfile.DS031.deny_secrets_tokens",
          "Resolution": "Use secret mount if secrets are needed during image build. Use volume mount if secret files are needed during container runtime.",
          "Severity": "CRITICAL",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds031",
          "References": [
            "https://docs.docker.com/build/building/secrets/",
            "https://avd.aquasec.com/misconfig/ds031"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Provider": "Dockerfile",
            "Service": "general",
            "Code": {
              "Lines": null
            }
          }
        },
        {
          "Type": "Dockerfile Security Check",
          "ID": "DS031",
          "AVDID": "AVD-DS-0031",
          "Title": "Secrets passed via `build-args` or envs or copied secret files",
          "Description": "Passing secrets via `build-args` or envs or copying secret files can leak them out",
          "Message": "passwd",
          "Namespace": "builtin.dockerfile.DS031",
          "Query": "data.builtin.dockerfile.DS031.deny_secrets_tokens",
          "Resolution": "Use secret mount if secrets are needed during image build. Use volume mount if secret files are needed during container runtime.",
          "Severity": "CRITICAL",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds031",
          "References": [
            "https://docs.docker.com/build/building/secrets/",
            "https://avd.aquasec.com/misconfig/ds031"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Provider": "Dockerfile",
            "Service": "general",
            "Code": {
              "Lines": null
            }
          }
        },
        {
          "Type": "Dockerfile Security Check",
          "ID": "DS031",
          "AVDID": "AVD-DS-0031",
          "Title": "Secrets passed via `build-args` or envs or copied secret files",
          "Description": "Passing secrets via `build-args` or envs or copying secret files can leak them out",
          "Message": "password",
          "Namespace": "builtin.dockerfile.DS031",
          "Query": "data.builtin.dockerfile.DS031.deny_secrets_tokens",
          "Resolution": "Use secret mount if secrets are needed during image build. Use volume mount if secret files are needed during container runtime.",
          "Severity": "CRITICAL",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds031",
          "References": [
            "https://docs.docker.com/build/building/secrets/",
            "https://avd.aquasec.com/misconfig/ds031"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Provider": "Dockerfile",
            "Service": "general",
            "Code": {
              "Lines": null
            }
          }
        },
        {
          "Type": "Dockerfile Security Check",
          "ID": "DS031",
          "AVDID": "AVD-DS-0031",
          "Title": "Secrets passed via `build-args` or envs or copied secret files",
          "Description": "Passing secrets via `build-args` or envs or copying secret files can leak them out",
          "Message": "psw",
          "Namespace": "builtin.dockerfile.DS031",
          "Query": "data.builtin.dockerfile.DS031.deny_secrets_tokens",
          "Resolution": "Use secret mount if secrets are needed during image build. Use volume mount if secret files are needed during container runtime.",
          "Severity": "CRITICAL",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds031",
          "References": [
            "https://docs.docker.com/build/building/secrets/",
            "https://avd.aquasec.com/misconfig/ds031"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Provider": "Dockerfile",
            "Service": "general",
            "Code": {
              "Lines": null
            }
          }
        },
        {
          "Type": "Dockerfile Security Check",
          "ID": "DS031",
          "AVDID": "AVD-DS-0031",
          "Title": "Secrets passed via `build-args` or envs or copied secret files",
          "Description": "Passing secrets via `build-args` or envs or copying secret files can leak them out",
          "Message": "pword",
          "Namespace": "builtin.dockerfile.DS031",
          "Query": "data.builtin.dockerfile.DS031.deny_secrets_tokens",
          "Resolution": "Use secret mount if secrets are needed during image build. Use volume mount if secret files are needed during container runtime.",
          "Severity": "CRITICAL",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds031",
          "References": [
            "https://docs.docker.com/build/building/secrets/",
            "https://avd.aquasec.com/misconfig/ds031"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Provider": "Dockerfile",
            "Service": "general",
            "Code": {
              "Lines": null
            }
          }
        },
        {
          "Type": "Dockerfile Security Check",
          "ID": "DS031",
          "AVDID": "AVD-DS-0031",
          "Title": "Secrets passed via `build-args` or envs or copied secret files",
          "Description": "Passing secrets via `build-args` or envs or copying secret files can leak them out",
          "Message": "secret",
          "Namespace": "builtin.dockerfile.DS031",
          "Query": "data.builtin.dockerfile.DS031.deny_secrets_tokens",
          "Resolution": "Use secret mount if secrets are needed during image build. Use volume mount if secret files are needed during container runtime.",
          "Severity": "CRITICAL",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds031",
          "References": [
            "https://docs.docker.com/build/building/secrets/",
            "https://avd.aquasec.com/misconfig/ds031"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Provider": "Dockerfile",
            "Service": "general",
            "Code": {
              "Lines": null
            }
          }
        },
        {
          "Type": "Dockerfile Security Check",
          "ID": "DS031",
          "AVDID": "AVD-DS-0031",
          "Title": "Secrets passed via `build-args` or envs or copied secret files",
          "Description": "Passing secrets via `build-args` or envs or copying secret files can leak them out",
          "Message": "token",
          "Namespace": "builtin.dockerfile.DS031",
          "Query": "data.builtin.dockerfile.DS031.deny_secrets_tokens",
          "Resolution": "Use secret mount if secrets are needed during image build. Use volume mount if secret files are needed during container runtime.",
          "Severity": "CRITICAL",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds031",
          "References": [
            "https://docs.docker.com/build/building/secrets/",
            "https://avd.aquasec.com/misconfig/ds031"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Provider": "Dockerfile",
            "Service": "general",
            "Code": {
              "Lines": null
            }
          }
        },
        {
          "Type": "Dockerfile Security Check",
          "ID": "DS031",
          "AVDID": "AVD-DS-0031",
          "Title": "Secrets passed via `build-args` or envs or copied secret files",
          "Description": "Passing secrets via `build-args` or envs or copying secret files can leak them out",
          "Message": "usr",
          "Namespace": "builtin.dockerfile.DS031",
          "Query": "data.builtin.dockerfile.DS031.deny_secrets_tokens",
          "Resolution": "Use secret mount if secrets are needed during image build. Use volume mount if secret files are needed during container runtime.",
          "Severity": "CRITICAL",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds031",
          "References": [
            "https://docs.docker.com/build/building/secrets/",
            "https://avd.aquasec.com/misconfig/ds031"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Provider": "Dockerfile",
            "Service": "general",
            "Code": {
              "Lines": null
            }
          }
        }
      ]
    }
  ]
}

Version

Version: 0.56.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-10-30 12:18:34.152287976 +0000 UTC
  NextUpdate: 2024-10-31 12:18:34.152287826 +0000 UTC
  DownloadedAt: 2024-10-30 14:14:53.800828105 +0000 UTC
Check Bundle:
  Digest: sha256:2ed7e46361a869fff0499f44b05ee88cc54fa48b1643d75ea3734f88b2677c51
  DownloadedAt: 2024-10-30 14:24:55.511692896 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[simar7]

Please see #7828 (comment)