New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(secret): add line from dockerfile where secret was added to secret result #2780
Conversation
pkg/fanal/types/secret.go
Outdated
Layer Layer `json:",omitempty"` | ||
CreatedBy string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if we put CreatedBy
into Layer
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
DOne
pkg/report/table/secret_test.go
Outdated
my-file:3-4 | ||
──────────────────────────────────────── | ||
This secret is added in 'COPY my-file my-file' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After some consideration, I came up with another idea. One line looks better. If it has a file hash, what if we take the first 7 characters like git rev-parse --short HEAD
?
my-file:3-4 | |
──────────────────────────────────────── | |
This secret is added in 'COPY my-file my-file' | |
my-file:3-4 (added by 'COPY my-file my-file') |
Then, if it is still too long, we can cut it like the first 40 chars, etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
pkg/fanal/artifact/image/image.go
Outdated
layerKeyMap := map[string]string{} | ||
var createdBy []string | ||
// save createdBy fields in order of layers | ||
for i := 0; i < len(configFile.History); i++ { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for i := 0; i < len(configFile.History); i++ { | |
for i, history := range configFile.History { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
pkg/fanal/artifact/image/image.go
Outdated
layerKeyMap[blobKey] = diffID | ||
|
||
c := "" | ||
if len(createdBy) > 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if len(createdBy) > 0 { | |
if len(createdBy) > i { |
hookVersions := a.handlerManager.Versions() | ||
var layerKeys []string | ||
for _, diffID := range diffIDs { | ||
for i, diffID := range diffIDs { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should compare len(diffIDs)
and len(createdBy)
. They should be the same. If they don't match, we should warn it. It is probably our bug.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The deleted secret can be removed from secret map, if respective OpaqueDirs/Whiteoutfiles are found.
Hello @ankk13 if so - we can't do that, because image still contain this secret. |
…rfile-line-for-secrets
Yes, even if image still contain layer. I believe it is correct to tag secret as "delete in intermediate layer", as we are not commenting that secret is deleted. Let me know if you feel otherwise |
Description
For images: secrets contain the string from
dockerfile
where this secret was added from.Also, this line is contained in the table report.
e.g.
Related PRs
Checklist