Secret scanner never scans anything

[felix-barz-brickmakers]

Description

The secret scanner simply seems to not work at all. I have tried multiple combinations and variations, none do work.

The following issue could be related, but I think are not the same thing:

• Trivy randomly fail to find vulnerabilities and reports 0 issues #7758: For me this happens consistenly, for EVERY project I scan, no matter if it is a fs or image target. It also happens both on my mac and in a fresh docker container.

Desired Behavior

The scanner finds a secret.

Actual Behavior

It reports no files scanned.

Reproduction Steps

1. Create a basic, vulnerable file:

AWS_SECRET_ACCESS_KEY = "AKIAIOSFODNN7EXAMPLE"

2. Scan it:

trivy fs --scanners secret --debug example.py

The result will look something like this:

2025-06-24T14:44:33+02:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-06-24T14:44:33+02:00       DEBUG   Cache dir       dir="/Users/xxx/Library/Caches/trivy"
2025-06-24T14:44:33+02:00       DEBUG   Cache dir       dir="/Users/xxx/Library/Caches/trivy"
2025-06-24T14:44:33+02:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-06-24T14:44:33+02:00       DEBUG   Ignore statuses statuses=[]
2025-06-24T14:44:33+02:00       INFO    [secret] Secret scanning is enabled
2025-06-24T14:44:33+02:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-06-24T14:44:33+02:00       INFO    [secret] Please see also https://trivy.dev/v0.63/docs/scanner/secret#recommendation for faster secret detection
2025-06-24T14:44:33+02:00       DEBUG   [notification] Running version check
2025-06-24T14:44:33+02:00       DEBUG   Initializing scan cache...      type="memory"
2025-06-24T14:44:33+02:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-06-24T14:44:33+02:00       DEBUG   [fs] Analyzing...       root="example.py"
2025-06-24T14:44:33+02:00       DEBUG   [fs] Random cache key will be used      err="failed to open git repository: stat /var/folders/pb/xxx/T/tmp.QgKGGiH62k/example.py/.git: not a directory"
2025-06-24T14:44:33+02:00       DEBUG   OS is not detected.
2025-06-24T14:44:33+02:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-06-24T14:44:33+02:00       DEBUG   [vex] VEX filtering is disabled
2025-06-24T14:44:33+02:00       INFO    [report] No issues detected with scanner(s).    scanners=[secret]

Report Summary

┌────────┬──────┬─────────┐
│ Target │ Type │ Secrets │
├────────┼──────┼─────────┤
│   -    │  -   │    -    │
└────────┴──────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

Target

Filesystem

Scanner

Secret

Output Format

Table

Mode

Standalone

Debug Output

2025-06-24T14:44:33+02:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-06-24T14:44:33+02:00       DEBUG   Cache dir       dir="/Users/xxx/Library/Caches/trivy"
2025-06-24T14:44:33+02:00       DEBUG   Cache dir       dir="/Users/xxx/Library/Caches/trivy"
2025-06-24T14:44:33+02:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-06-24T14:44:33+02:00       DEBUG   Ignore statuses statuses=[]
2025-06-24T14:44:33+02:00       INFO    [secret] Secret scanning is enabled
2025-06-24T14:44:33+02:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-06-24T14:44:33+02:00       INFO    [secret] Please see also https://trivy.dev/v0.63/docs/scanner/secret#recommendation for faster secret detection
2025-06-24T14:44:33+02:00       DEBUG   [notification] Running version check
2025-06-24T14:44:33+02:00       DEBUG   Initializing scan cache...      type="memory"
2025-06-24T14:44:33+02:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-06-24T14:44:33+02:00       DEBUG   [fs] Analyzing...       root="example.py"
2025-06-24T14:44:33+02:00       DEBUG   [fs] Random cache key will be used      err="failed to open git repository: stat /var/folders/pb/xxx/T/tmp.QgKGGiH62k/example.py/.git: not a directory"
2025-06-24T14:44:33+02:00       DEBUG   OS is not detected.
2025-06-24T14:44:33+02:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-06-24T14:44:33+02:00       DEBUG   [vex] VEX filtering is disabled
2025-06-24T14:44:33+02:00       INFO    [report] No issues detected with scanner(s).    scanners=[secret]

Report Summary

┌────────┬──────┬─────────┐
│ Target │ Type │ Secrets │
├────────┼──────┼─────────┤
│   -    │  -   │    -    │
└────────┴──────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

Operating System

macOS 15.5, but also happens in docker containers

Version

Version: 0.63.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-06-24 06:28:36.198340509 +0000 UTC
  NextUpdate: 2025-06-25 06:28:36.198340228 +0000 UTC
  DownloadedAt: 2025-06-24 10:37:31.623111 +0000 UTC
Check Bundle:
  Digest: sha256:a471e90b7c7335e914ec9075b74cf8f65e4c91e6cecfa7e39c587382808d2684
  DownloadedAt: 2025-06-24 10:37:32.176851 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @felix-barz-brickmakers
Thanks for your report!

AWS_SECRET_ACCESS_KEY = "AKIAIOSFODNN7EXAMPLE"

your secret contains example word. Trivy skips these secrets:
https://trivy.dev/latest/docs/scanner/secret/#disable-rules

trivy/pkg/fanal/secret/builtin-allow-rules.go

Lines 16 to 21 in 3adfd98

	{
	ID: "examples",
	Description: "Avoid example files and paths", // e.g. https://github.com/boto/botocore/blob/develop/botocore/data/organizations/2016-11-28/examples-1.json
	Path: MustCompile(`example`),
	Regex: MustCompile("(?i)example"),
	},

example:

➜  echo 'AWS_SECRET_ACCESS_KEY = "AKIAIOSFODNN7EXAMPLE' > 1.txt
➜  trivy -q fs --scanners secret ./1.txt 

Report Summary

┌────────┬──────┬─────────┐
│ Target │ Type │ Secrets │
├────────┼──────┼─────────┤
│   -    │  -   │    -    │
└────────┴──────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

➜  echo 'AWS_SECRET_ACCESS_KEY = "AKIAIOSFODNN7ASDFGHJ' > 2.txt
➜  trivy -q fs --scanners secret ./2.txt                       

Report Summary

┌────────┬──────┬─────────┐
│ Target │ Type │ Secrets │
├────────┼──────┼─────────┤
│ /2.txt │ text │    1    │
└────────┴──────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


/2.txt (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: AWS (aws-access-key-id)
════════════════════════════════════════════════════════════════════════════════
AWS Access Key ID
────────────────────────────────────────────────────────────────────────────────
 /2.txt:1
────────────────────────────────────────────────────────────────────────────────
   1 [ AWS_SECRET_ACCESS_KEY = "********************
   2   
────────────────────────────────────────────────────────────────────────────────

[felix-barz-brickmakers]

Oh, thats quite smart, did not expect the tool to behave like that. Thank you for the clarification. I did some more tests, and not using "example" other other test keywords did indeed change the situation

[felix-barz-brickmakers]

Missunderstanding of exclusions on my side