use Defang secret-detector to identify potential secret leaks before publishing OCI artifacts

Signed-off-by: Guillaume Lours <[email protected]>

Author: glours

go.mod

@@ -4,6 +4,7 @@ go 1.23.6
 
 require (
 	github.com/AlecAivazis/survey/v2 v2.3.7
+	github.com/DefangLabs/secret-detector v0.0.0-20250108223530-c2b44d4c1f8f
 	github.com/Microsoft/go-winio v0.6.2
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d
 	github.com/buger/goterm v1.0.4
@@ -116,6 +117,7 @@ require (
 	github.com/goccy/go-yaml v1.13.3 // indirect
 	github.com/gofrs/flock v0.12.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
@@ -129,6 +131,7 @@ require (
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/in-toto/in-toto-golang v0.5.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/inhies/go-bytesize v0.0.0-20220417184213-4913239db9cf // indirect
 	github.com/jinzhu/copier v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
@@ -202,6 +205,7 @@ require (
 	google.golang.org/protobuf v1.36.4 // indirect
 	gopkg.in/cenkalti/backoff.v1 v1.1.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/ini.v1 v1.66.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/api v0.31.2 // indirect
 	k8s.io/apimachinery v0.31.2 // indirect

go.sum

@@ -10,6 +10,8 @@ github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEK
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/DefangLabs/secret-detector v0.0.0-20250108223530-c2b44d4c1f8f h1:RTbUqLhPxejgK92ifVdMTIW9H23QLlscy8QXPDTfaL4=
+github.com/DefangLabs/secret-detector v0.0.0-20250108223530-c2b44d4c1f8f/go.mod h1:2UjtD/G/Sy2FxoHpxKnzHTXMpRURecwYal8HgbxcvkY=
 github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0=
 github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
@@ -221,6 +223,8 @@ github.com/gogo/protobuf v1.0.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7a
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
+github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -277,6 +281,8 @@ github.com/in-toto/in-toto-golang v0.5.0/go.mod h1:/Rq0IZHLV7Ku5gielPT4wPHJfH1Gd
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/inhies/go-bytesize v0.0.0-20220417184213-4913239db9cf h1:FtEj8sfIcaaBfAKrE1Cwb61YDtYq9JxChK1c7AKce7s=
+github.com/inhies/go-bytesize v0.0.0-20220417184213-4913239db9cf/go.mod h1:yrqSXGoD/4EKfF26AOGzscPOgTTJcyAwM2rpixWT+t4=
 github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8=
 github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
 github.com/jinzhu/gorm v0.0.0-20170222002820-5409931a1bb8 h1:CZkYfurY6KGhVtlalI4QwQ6T0Cu6iuY3e0x5RLu96WE=
@@ -682,6 +688,8 @@ gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMy
 gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/ini.v1 v1.66.2 h1:XfR1dOYubytKy4Shzc2LHrrGhU0lDCfDGG1yLPmpgsI=
+gopkg.in/ini.v1 v1.66.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/op/go-logging.v1 v1.0.0-20160211212156-b2cb9fa56473 h1:6D+BvnJ/j6e222UW8s2qTSe3wGBtvo0MbVQG/c5k8RE=
 gopkg.in/op/go-logging.v1 v1.0.0-20160211212156-b2cb9fa56473/go.mod h1:N1eN2tsCx0Ydtgjl4cqmbRCsY4/+z4cYDeqwZTk6zog=
 gopkg.in/rethinkdb/rethinkdb-go.v6 v6.2.1 h1:d4KQkxAaAiRY2h5Zqis161Pv91A37uZyJOx73duwUwM=

pkg/compose/publish.go

@@ -17,12 +17,17 @@
 package compose
 
 import (
+	"bytes"
 	"context"
 	"crypto/sha256"
 	"errors"
 	"fmt"
+	"io"
 	"os"
 
+	"github.com/DefangLabs/secret-detector/pkg/scanner"
+	"github.com/DefangLabs/secret-detector/pkg/secrets"
+
 	"github.com/compose-spec/compose-go/v2/loader"
 	"github.com/compose-spec/compose-go/v2/types"
 	"github.com/distribution/reference"
@@ -259,15 +264,37 @@ func (s *composeService) generateImageDigestsOverride(ctx context.Context, proje
 	return override.MarshalYAML()
 }
 
+//nolint:gocyclo
 func (s *composeService) preChecks(project *types.Project, options api.PublishOptions) (bool, error) {
-	if ok, err := s.checkOnlyBuildSection(project); !ok {
+	if ok, err := s.checkOnlyBuildSection(project); !ok || err != nil {
+		return false, err
+	}
+	if ok, err := s.checkForBindMount(project); !ok || err != nil {
 		return false, err
 	}
+	if options.AssumeYes {
+		return true, nil
+	}
+	detectedSecrets, err := s.checkForSensitiveData(project)
+	if err != nil {
+		return false, err
+	}
+	if len(detectedSecrets) > 0 {
+		fmt.Println("you are about to publish sensitive data within your OCI artifact.\n" +
+			"please double check that you are not leaking sensitive data")
+		for _, val := range detectedSecrets {
+			_, _ = fmt.Fprintln(s.dockerCli.Out(), val.Type)
+			_, _ = fmt.Fprintf(s.dockerCli.Out(), "%q: %s\n", val.Key, val.Value)
+		}
+		if ok, err := acceptPublishSensitiveData(s.dockerCli); err != nil || !ok {
+			return false, err
+		}
+	}
 	envVariables, err := s.checkEnvironmentVariables(project, options)
 	if err != nil {
 		return false, err
 	}
-	if !options.AssumeYes && len(envVariables) > 0 {
+	if len(envVariables) > 0 {
 		fmt.Println("you are about to publish environment variables within your OCI artifact.\n" +
 			"please double check that you are not leaking sensitive data")
 		for key, val := range envVariables {
@@ -276,17 +303,10 @@ func (s *composeService) preChecks(project *types.Project, options api.PublishOp
 				_, _ = fmt.Fprintf(s.dockerCli.Out(), "%s=%v\n", k, *v)
 			}
 		}
-		return acceptPublishEnvVariables(s.dockerCli)
-	}
-
-	for name, config := range project.Services {
-		for _, volume := range config.Volumes {
-			if volume.Type == types.VolumeTypeBind {
-				return false, fmt.Errorf("cannot publish compose file: service %q relies on bind-mount. You should use volumes", name)
-			}
+		if ok, err := acceptPublishEnvVariables(s.dockerCli); err != nil || !ok {
+			return false, err
 		}
 	}
-
 	return true, nil
 }
 
@@ -332,6 +352,12 @@ func acceptPublishEnvVariables(cli command.Cli) (bool, error) {
 	return confirm, err
 }
 
+func acceptPublishSensitiveData(cli command.Cli) (bool, error) {
+	msg := "Are you ok to publish these sensitive data? [y/N]: "
+	confirm, err := prompt.NewPrompt(cli.In(), cli.Out()).Confirm(msg, false)
+	return confirm, err
+}
+
 func envFileLayers(project *types.Project) []ocipush.Pushable {
 	var layers []ocipush.Pushable
 	for _, service := range project.Services {
@@ -367,3 +393,103 @@ func (s *composeService) checkOnlyBuildSection(project *types.Project) (bool, er
 	}
 	return true, nil
 }
+
+func (s *composeService) checkForBindMount(project *types.Project) (bool, error) {
+	for name, config := range project.Services {
+		for _, volume := range config.Volumes {
+			if volume.Type == types.VolumeTypeBind {
+				return false, fmt.Errorf("cannot publish compose file: service %q relies on bind-mount. You should use volumes", name)
+			}
+		}
+	}
+	return true, nil
+}
+
+func (s *composeService) checkForSensitiveData(project *types.Project) ([]secrets.DetectedSecret, error) {
+	var allFindings []secrets.DetectedSecret
+	scan := scanner.NewDefaultScanner()
+
+	projecYaml, _ := project.MarshalYAML()
+	_, _ = scan.ScanReader(bytes.NewReader(projecYaml))
+
+	// Check all compose files
+	for _, file := range project.ComposeFiles {
+		in, err := composeFileAsByteReader(file, project)
+		if err != nil {
+			return nil, err
+		}
+
+		findings, err := scan.ScanReader(in)
+		if err != nil {
+			return nil, fmt.Errorf("failed to scan compose file %s: %w", file, err)
+		}
+		allFindings = append(allFindings, findings...)
+	}
+	for _, service := range project.Services {
+		// Check env files
+		for _, envFile := range service.EnvFiles {
+			findings, err := scan.ScanFile(envFile.Path)
+			if err != nil {
+				return nil, fmt.Errorf("failed to scan env file %s: %w", envFile.Path, err)
+			}
+			allFindings = append(allFindings, findings...)
+		}
+	}
+
+	// Check configs defined by files
+	for _, config := range project.Configs {
+		if config.File != "" {
+			findings, err := scan.ScanFile(config.File)
+			if err != nil {
+				return nil, fmt.Errorf("failed to scan config file %s: %w", config.File, err)
+			}
+			allFindings = append(allFindings, findings...)
+		}
+	}
+
+	// Check secrets defined by files
+	for _, secret := range project.Secrets {
+		if secret.File != "" {
+			findings, err := scan.ScanFile(secret.File)
+			if err != nil {
+				return nil, fmt.Errorf("failed to scan secret file %s: %w", secret.File, err)
+			}
+			allFindings = append(allFindings, findings...)
+		}
+	}
+
+	return allFindings, nil
+}
+
+func composeFileAsByteReader(filePath string, project *types.Project) (io.Reader, error) {
+	composeFile, err := os.ReadFile(filePath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open compose file %s: %w", filePath, err)
+	}
+	base, err := loader.LoadWithContext(context.TODO(), types.ConfigDetails{
+		WorkingDir:  project.WorkingDir,
+		Environment: project.Environment,
+		ConfigFiles: []types.ConfigFile{
+			{
+				Filename: filePath,
+				Content:  composeFile,
+			},
+		},
+	}, func(options *loader.Options) {
+		options.SkipValidation = true
+		options.SkipExtends = true
+		options.SkipConsistencyCheck = true
+		options.ResolvePaths = true
+		options.SkipInterpolation = true
+		options.SkipResolveEnvironment = true
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	in, err := base.MarshalYAML()
+	if err != nil {
+		return nil, err
+	}
+	return bytes.NewBuffer(in), nil
+}

pkg/e2e/fixtures/publish/compose-sensitive.yml

@@ -0,0 +1,10 @@
+services:
+  serviceA:
+    image: "alpine:3.12"
+    environment:
+      - AWS_ACCESS_KEY_ID=A3TX1234567890ABCDEF
+      - AWS_SECRET_ACCESS_KEY=aws"12345+67890/abcdefghijklm+NOPQRSTUVWXYZ+"
+  serviceB:
+    image: "alpine:3.12"
+    env_file:
+      - publish-sensitive.env

pkg/e2e/fixtures/publish/publish-sensitive.env

@@ -0,0 +1 @@
+GITHUB_TOKEN=ghp_1234567890abcdefghijklmnopqrstuvwxyz

pkg/e2e/fixtures/publish/publish.env

@@ -1,2 +1,2 @@
 FOO=bar
-QUIX=
+QUIX=

pkg/e2e/publish_test.go

@@ -134,4 +134,19 @@ FOO=bar`), res.Combined())
 			"-p", projectName, "alpha", "publish", "test/test", "--dry-run")
 		res.Assert(t, icmd.Expected{ExitCode: 1, Err: "cannot publish compose file with local includes"})
 	})
+
+	t.Run("detect sensitive data", func(t *testing.T) {
+		cmd := c.NewDockerComposeCmd(t, "-f", "./fixtures/publish/compose-sensitive.yml",
+			"-p", projectName, "alpha", "publish", "test/test", "--with-env", "--dry-run")
+		cmd.Stdin = strings.NewReader("n\n")
+		res := icmd.RunCmd(cmd)
+		res.Assert(t, icmd.Expected{ExitCode: 0})
+
+		output := res.Combined()
+		assert.Assert(t, strings.Contains(output, "you are about to publish sensitive data within your OCI artifact.\n"), output)
+		assert.Assert(t, strings.Contains(output, "please double check that you are not leaking sensitive data"), output)
+		assert.Assert(t, strings.Contains(output, "AWS Client ID\n\"services.serviceA.environment.AWS_ACCESS_KEY_ID\": A3TX1234567890ABCDEF"), output)
+		assert.Assert(t, strings.Contains(output, "AWS Secret Key\n\"services.serviceA.environment.AWS_SECRET_ACCESS_KEY\": aws\"12345+67890/abcdefghijklm+NOPQRSTUVWXYZ+\""), output)
+		assert.Assert(t, strings.Contains(output, "Github authentication\n\"GITHUB_TOKEN\": ghp_1234567890abcdefghijklmnopqrstuvwxyz"), output)
+	})
 }