Updates gitleaks and trivy scanners

gitleaks for validating secrets and trivy to extracting layer commans
boostsecurityio · Sep 9, 2024 · c674dbc · c674dbc
2 parents 31f800d + e48a476
commit c674dbc
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 8 deletions.
diff --git a/scanners/boostsecurityio/gitleaks-full/module.yaml b/scanners/boostsecurityio/gitleaks-full/module.yaml
@@ -63,6 +63,11 @@ steps:
           cat $SETUP_PATH/gitleaks-output.sarif
 
       post-processor:
-        docker:
-          command: process --git-scan
-          image: public.ecr.aws/boostsecurityio/boost-scanner-gitleaks:005aa11@sha256:605f7ac26f64a1ec766f0023a09fbca95146546ea2abae5d32ffe62e180fda79
+        - docker:
+            command: process --git-scan
+            image: public.ecr.aws/boostsecurityio/boost-scanner-gitleaks:a13a131@sha256:97321d82da1b4adfbc1cd7fddb23a2ef57b8f9c2db0ccbc007f15f7adefb0086
+        - docker:
+            command: process --gitleaks-full
+            image: public.ecr.aws/boostsecurityio/boost-scanner-keyscope:6524873@sha256:f9310e1e1856d75c217d828350f9be0bfbde0c374cbaad5d00a2438965611281
+            environment:
+              VALIDATE_SECRET: ${BOOST_VALIDATE_SECRET:-}
diff --git a/scanners/boostsecurityio/gitleaks/module.yaml b/scanners/boostsecurityio/gitleaks/module.yaml
@@ -58,10 +58,15 @@ steps:
         environment:
           GITLEAKS_CONFIG: ${GITLEAKS_CONFIG:-}
         run: |
-          $SETUP_PATH/gitleaks detect --no-banner --exit-code 0 --redact --report-format sarif --no-git --report-path $SETUP_PATH/gitleaks-output.sarif --source .
+          $SETUP_PATH/gitleaks detect --no-banner --exit-code 0 --report-format sarif --no-git --report-path $SETUP_PATH/gitleaks-output.sarif --source .
           cat $SETUP_PATH/gitleaks-output.sarif
 
       post-processor:
-        docker:
-          command: process
-          image: public.ecr.aws/boostsecurityio/boost-scanner-gitleaks:cc6e72e@sha256:a157c5eafcecde97cf5ec4ce8ec8fed3838d3f64c8e141746b40a97b57b1a80a
+        - docker:
+            command: process
+            image: public.ecr.aws/boostsecurityio/boost-scanner-gitleaks:a13a131@sha256:97321d82da1b4adfbc1cd7fddb23a2ef57b8f9c2db0ccbc007f15f7adefb0086
+        - docker:
+            command: process
+            image: public.ecr.aws/boostsecurityio/boost-scanner-keyscope:6524873@sha256:f9310e1e1856d75c217d828350f9be0bfbde0c374cbaad5d00a2438965611281
+            environment:
+              VALIDATE_SECRET: ${BOOST_VALIDATE_SECRET:-}
diff --git a/scanners/boostsecurityio/trivy-image/module.yaml b/scanners/boostsecurityio/trivy-image/module.yaml
@@ -64,7 +64,9 @@ steps:
       format: sarif
       post-processor:
         docker:
-          image: public.ecr.aws/boostsecurityio/boost-scanner-trivy:6ccb85c@sha256:aa68249959479a1be506c8f918c3efd6371ed3de7ccc3915b0710d7dc3e7c5cd
+          image: public.ecr.aws/boostsecurityio/boost-scanner-trivy:98a7dba@sha256:4a884b0dc8232bb85327a72bfe84c60cb56d0c8d663601a4c140d057552d7ee8
           command: process
+          workdir: /code
           environment:
             PYTHONIOENCODING: utf-8
+            DOCKERFILE_PATH: ${BOOST_DOCKERFILE_PATH:-}