aquasecurity · ankk13 · Aug 19, 2022 · Aug 22, 2022 · Sep 6, 2022 · knqyf263
@@ -39,6 +39,7 @@ var (
 
 type ScannerOption struct {
 	ConfigPath string
+	Config     *secret.Config
 }
 
 // SecretAnalyzer is an analyzer for secrets
@@ -48,22 +49,29 @@ type SecretAnalyzer struct {
 }
 
 func RegisterSecretAnalyzer(opt ScannerOption) error {
-	a, err := newSecretAnalyzer(opt.ConfigPath)
+	a, err := newSecretAnalyzer(opt)
 	if err != nil {
 		return xerrors.Errorf("secret scanner init error: %w", err)
 	}
 	analyzer.RegisterAnalyzer(a)
 	return nil
 }
 
-func newSecretAnalyzer(configPath string) (SecretAnalyzer, error) {
-	s, err := secret.NewScanner(configPath)
+func newSecretAnalyzer(opt ScannerOption) (SecretAnalyzer, error) {
+	if opt.Config != nil {
+		s, err := secret.NewScannerByConfig(*opt.Config)
+		if err != nil {
+			return SecretAnalyzer{}, xerrors.Errorf("secret scanner error: %w", err)
+		}
+		return SecretAnalyzer{scanner: s}, nil
+	}
+	s, err := secret.NewScanner(opt.ConfigPath)
 	if err != nil {
 		return SecretAnalyzer{}, xerrors.Errorf("secret scanner error: %w", err)
 	}
 	return SecretAnalyzer{
 		scanner:    s,
-		configPath: configPath,
+		configPath: opt.ConfigPath,
 	}, nil
 }
 

@@ -9,6 +9,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
+	"github.com/aquasecurity/trivy/pkg/fanal/secret"
 	"github.com/aquasecurity/trivy/pkg/fanal/types"
 )
 
@@ -97,12 +98,13 @@ func TestSecretAnalyzer(t *testing.T) {
 	tests := []struct {
 		name       string
 		configPath string
+		config     *secret.Config
 		filePath   string
 		dir        string
 		want       *analyzer.AnalysisResult
 	}{
 		{
-			name:       "return results",
+			name:       "return results with config file",
 			configPath: "testdata/config.yaml",
 			filePath:   "testdata/secret.txt",
 			dir:        ".",
@@ -115,6 +117,32 @@ func TestSecretAnalyzer(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:       "return results with config",
+			configPath: "",
+			config: &secret.Config{
+				CustomRules: []secret.Rule{
+					{
+						ID:              "rule1",
+						Category:        "general",
+						Title:           "Generic Rule",
+						Severity:        "HIGH",
+						Regex:           secret.MustCompile("(?i)(?P<key>(secret))(=|:).{0,5}['\"](?P<secret>[0-9a-zA-Z\\-_=]{8,64})['\"]"),
+						SecretGroupName: "secret",
+					},
+				},
+			},
+			filePath: "testdata/secret.txt",
+			dir:      ".",
+			want: &analyzer.AnalysisResult{
+				Secrets: []types.Secret{
+					{
+						FilePath: "testdata/secret.txt",
+						Findings: []types.SecretFinding{wantFinding1, wantFinding2},
+					},
+				},
+			},
+		},
 		{
 			name:       "image scan return result",
 			configPath: "testdata/image-config.yaml",
@@ -150,7 +178,7 @@ func TestSecretAnalyzer(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			a, err := newSecretAnalyzer(tt.configPath)
+			a, err := newSecretAnalyzer(ScannerOption{tt.configPath, tt.config})
 			require.NoError(t, err)
 			content, err := os.Open(tt.filePath)
 			require.NoError(t, err)
@@ -205,7 +233,7 @@ func TestSecretRequire(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			a, err := newSecretAnalyzer("")
+			a, err := newSecretAnalyzer(ScannerOption{"", nil})
 			require.NoError(t, err)
 
 			fi, err := os.Stat(tt.filePath)

@@ -287,14 +287,17 @@ func NewScanner(configPath string) (Scanner, error) {
 
 	log.Logger.Infof("Loading %s for secret scanning...", configPath)
 
-	// reset global
-	global = Global{}
-
 	var config Config
 	if err = yaml.NewDecoder(f).Decode(&config); err != nil {
 		return Scanner{}, xerrors.Errorf("secrets config decode error: %w", err)
 	}
 
+	return NewScannerByConfig(config)
+}
+
+func NewScannerByConfig(config Config) (Scanner, error) {
+	global := &Global{}
+
 	enabledRules := builtinRules
 	if len(config.EnableBuiltinRuleIDs) != 0 {
 		// Enable only specified built-in rules
@@ -319,7 +322,7 @@ func NewScanner(configPath string) (Scanner, error) {
 
 	global.ExcludeBlock = config.ExcludeBlock
 
-	return Scanner{Global: &global}, nil
+	return Scanner{Global: global}, nil
 }
 
 type ScanArgs struct {