Trivy’s secret scanning doesn’t just find potential leaks; it actively identifies the precise credential types and their locations, acting as a highly specialized forensic tool for your codebase.
Let’s see Trivy in action. Imagine you have a config.yaml file with a hardcoded API key:
database:
host: localhost
port: 5432
username: admin
password: mySuperSecretPassword123!
api:
key: sk_test_thisisatestkeyfromstripe
And a Dockerfile that copies this file into an image:
FROM alpine:latest
COPY config.yaml /app/config.yaml
CMD ["cat", "/app/config.yaml"]
Running Trivy against this:
trivy config .
Will produce output like this:
config.yaml (kubernetes)
/app/config.yaml
- AWS Access Key ID [HIGHLY SENSITIVE]
AWS Access Key ID found: AKIAIOSFODNN7EXAMPLE
- AWS Secret Access Key [HIGHLY SENSITIVE]
AWS Secret Access Key found: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
- Stripe API Key [HIGHLY SENSITIVE]
Stripe API Key found: sk_test_thisisatestkeyfromstripe
This demonstrates Trivy’s ability to pinpoint not only the file but the specific lines containing sensitive information, even categorizing them by type (AWS, Stripe, etc.) and assigning a severity.
The core problem Trivy secret scanning solves is the accidental exposure of sensitive credentials – API keys, passwords, private keys, tokens – within your source code, configuration files, and container images. These leaks can lead to unauthorized access, data breaches, and significant financial or reputational damage. Trivy automates the detection of these vulnerabilities, which would otherwise require manual, error-prone code reviews or specialized security tools.
Internally, Trivy utilizes a comprehensive and regularly updated set of regular expressions and patterns designed to match known formats of secrets. These patterns cover a vast array of services and credential types, from cloud provider keys (AWS, Azure, GCP) and SaaS API keys (Stripe, Twilio, GitHub) to generic patterns for passwords and private keys. When Trivy scans a file or image layer, it applies these patterns against the content. If a match is found, it reports the type of secret, its value (often masked for display), and its location. The --severity flag (e.g., --severity HIGH,CRITICAL) allows you to filter findings based on their perceived risk.
The real power comes from its integration into CI/CD pipelines. By running Trivy as an early check, you can prevent code containing secrets from ever being merged or deployed. The command trivy fs --secret-all --severity HIGH . will scan the current directory for all secret types and exit with a non-zero status code if any HIGH severity secrets are found, breaking the build. For container images, trivy image --secret-all --severity HIGH my-app:latest performs the same check on the image’s filesystem.
One of the most surprising aspects of Trivy’s secret scanning is its ability to detect secrets that aren’t explicitly labeled as such. It doesn’t rely on comments like # API Key to identify a secret. Instead, it uses the format of the string itself. For example, a string like pk-abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuv will be flagged as a potential private key, even if it’s just a random string in a variable named temp_string. This pattern-based detection is what makes it so effective at finding unexpected leaks, often catching credentials that developers might have overlooked or forgotten about.
The next step after identifying secrets is to implement a robust secrets management strategy, such as using dedicated secrets managers like HashiCorp Vault, AWS Secrets Manager, or Kubernetes Secrets.