feat(secret): enhance secret scanning for python binary files

[afdesk]

Description

Notes
this way doesn't detect secrets inside .odt (LibreOffice format) and .pdf.

Demo file:

secret1 = "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"
print(secret1)

$ python3 -m compileall .

Before:

$ trivy fs --scanners secret __pycache__/
2024-08-01T18:03:59+06:00	INFO	[secret] Secret scanning is enabled
2024-08-01T18:03:59+06:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-01T18:03:59+06:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection

After:

$ trivy fs --scanners secret __pycache__/
secret.cpython-310.pyc (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: GitHub (github-fine-grained-pat)
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
GitHub Fine-grained personal access tokens
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Related issues

• Close feat: enhance secret scanning for specific binary files #7204

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[knqyf263]

For binary files, we should not show the line as it is not printable. grep just shows "matches".

$ grep github_pat __pycache__/main.cpython-312.pyc
Binary file __pycache__/main.cpython-312.pyc matches

[knqyf263]

This implementation concats all single printable characters, leading to the long string. Even in a binary file, there are many printable character strings when viewed on a per-byte basis. I think the strings way, setting the minimum length, is better like I shared.

[DmitriyLewen]

What if we omit the is prefix?

Suggested change

	func isAllowedBinary(filename string) bool {
	func allowedBinary(filename string) bool {

[afdesk]

done

[DmitriyLewen]

I sugest to use toFinding function.
something like this:

Suggested change

	if args.Binary {
	for _, match := range matched {
	findings = append(findings, types.SecretFinding{
	RuleID: match.Rule.ID,
	Category: match.Rule.Category,
	Severity: lo.Ternary(match.Rule.Severity == "", "UNKNOWN", match.Rule.Severity),
	Title: match.Rule.Title,
	Match: fmt.Sprintf("Binary file %q matches a rule %q", args.FilePath, match.Rule.Title),
	StartLine: 1,
	EndLine: 1,
	})
	}
	} else {
	for _, match := range matched {
	findings = append(findings, toFinding(match.Rule, match.Location, censored))
	}
	for _, match := range matched {
	finding := toFinding(match.Rule, match.Location, censored)
	// These fields will be unreadable for binaries,
	// Therefore overwrite them.
	if args.Binary {
	finding.Match = fmt.Sprintf("Binary file %q matches a rule %q", args.FilePath, match.Rule.Title)
	finding.Code = types.Code{}
	}
	findings = append(findings, finding)
	}

It might make sense to add flag to toFinding function to skip findLocation.

wdyt?

[afdesk]

sure! it's a better way!

[DmitriyLewen]

LGTM