Added probe that scans for Docker registry creds#25
Added probe that scans for Docker registry creds#25jksolbakken wants to merge 5 commits intoboostsecurityio:mainfrom
Conversation
pkg/probe/docker_creds.go
Outdated
| if err != nil { | ||
| return findings, err | ||
| } | ||
| for _, registry := range registries { |
There was a problem hiding this comment.
Sorry not being clear enough but the probe is used to access the files in the index but then you need to run the detectors on the content of your files to actually detect credentials. When credentials are actually detected then a finding can be created. The current implementation will just flag every docker and podman config files as having creds in clear when it is not necessarily the case
| // Copyright (C) 2026 boostsecurity.io | ||
| // SPDX-License-Identifier: GPL-3.0-or-later | ||
|
|
||
| package detector |
There was a problem hiding this comment.
@jksolbakken that detector is not needed. What you did in the probe is to call the detectors registry on the content of files using the existing detectors we have. That is all that is required. Detectors contain specific patterns for specific secrets but in this case it will be covered by existing ones.
2 participants
Docker and Podman stores registry creds in cleartext if credential helpers are not used.