扫描密文

Artifact Analysis 漏洞扫描可以识别存储在扫描映像中的密钥(例如服务账号密钥和 API 密钥)。您可以在漏洞扫描的发生报告中查看有关这些 Secret 的信息,并采取措施来防止敏感信息泄露。

概览

当漏洞扫描检测到 Secret 时,Artifact Analysis 会创建一个包含 Secret 详细信息的 Secret 类型出现情况。 Artifact Analysis 可以检测以下密钥:

Secret

  • Anthropic 管理员密钥
  • Anthropic API 密钥
  • Azure 访问令牌
  • Azure ID 令牌
  • Docker Hub 个人访问令牌
  • GitHub 应用刷新令牌
  • GitHub 应用服务器到服务器令牌
  • GitHub 应用用户到服务器令牌
  • GitHub 传统个人访问令牌
  • GitHub 精细的个人访问令牌
  • GitHub OAuth 令牌
  • Google Cloud OAuth2(客户端 ID 和密钥)对
  • Google Cloud OAuth2 访问令牌
  • Google Cloud 服务账号密钥
  • Google Cloud API 密钥
  • Huggingface API 密钥
  • OpenAI API 密钥
  • Perplexity API 密钥
  • Stripe 受限密钥
  • Stripe 密钥
  • Stripe webhook 密钥

如需详细了解发生报告中的不同类型的密文,请参阅 Artifact Analysis API 文档中的 SecretKind

Artifact Analysis 只能检测以文本文件形式存储的密钥。支持以下文件扩展名:

  • .cer
  • .cfg
  • .crt
  • .der
  • .env
  • .html
  • .key
  • .ipynb
  • .json
  • .log
  • .md
  • .pem
  • .py
  • .pypirc
  • .textproto
  • .toml
  • .txt
  • .xml
  • .yaml

准备工作

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. 如果您要使用现有项目来完成本指南,请验证您是否拥有完成本指南所需的权限。如果您创建了新项目,则您已拥有所需的权限。

  4. Verify that billing is enabled for your Google Cloud project.

  5. Enable the Artifact Registry and Container Scanning APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

  6. Install the Google Cloud CLI.

  7. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  8. To initialize the gcloud CLI, run the following command: 

    gcloud init

  9. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  10. 如果您要使用现有项目来完成本指南,请验证您是否拥有完成本指南所需的权限。如果您创建了新项目,则您已拥有所需的权限。

  11. Verify that billing is enabled for your Google Cloud project.

  12. Enable the Artifact Registry and Container Scanning APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

  13. Install the Google Cloud CLI.

  14. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  15. To initialize the gcloud CLI, run the following command: 

    gcloud init

启用此 API 还会启用 Artifact Registry 中的语言包扫描功能。请参阅支持的软件包类型

所需的角色

如需获得在漏洞扫描期间扫描映像中的密钥所需的权限,请让管理员向您授予项目的以下 IAM 角色:

如需详细了解如何授予角色,请参阅管理对项目、文件夹和组织的访问权限

您也可以通过自定义角色或其他预定义角色来获取所需的权限。

查看 Secret

如需在漏洞扫描后查看密钥,请执行以下操作:

  1. 将 Docker 映像推送到 Artifact Registry

  2. 等待漏洞扫描完成。

  3. 运行以下命令,列出扫描映像中出现的密钥:

    $ curl -G -H "Content-Type: application/json"   -H "Authorization: Bearer $(gcloud auth print-access-token)" --data-urlencode "filter=(kind=\"SECRET\" AND resourceUrl=\"RESOURCE_URL\")" https://containeranalysis.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/occurrences

    其中:

    • PROJECT_ID 是您的 Google Cloud 控制台项目 ID
    • LOCATION 是代码库的单区域或多区域位置
    • RESOURCE_URL 是扫描图片的网址,格式为 https://LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE_ID

    以下示例响应显示了可能的结果。在此示例中,系统在图片的 documents 目录中识别出了一个名为 my_api_key.yaml 的Google Cloud API 密钥。secret 属性显示有关发现的 Secret 的信息。

    {
  "occurrences": [
    {
      "name": "projects/my-project/locations/us-east1/occurrences/45619d23-66b1-4f5b-9b12-9060d7f97ff3",
      "resourceUri": "https://us-east1-docker.pkg.dev/my-project/my-images/test-image-0106@sha256:73cf5b9a788dc391c40e9cf1599144d03875b5d2dc935988ebfef8260bd2678e",
      "noteName": "projects/my-project/locations/us-east1/notes/secret_kind_gcp_api_key",
      "kind": "SECRET",
      "createTime": "2026-01-06T21:16:14.905851Z",
      "updateTime": "2026-01-06T21:16:14.905851Z",
      "secret": {
        "kind": "SECRET_KIND_GCP_API_KEY",
        "locations": [
          {
            "fileLocation": {
              "filePath": "documents/my_api_key.yaml",
              "layerDetails": {
                "index": 2,
                "diffId": "7b76df10d6d90391830392eac96b0ef2d2d43822c6ff4754aa6daea0fe14a8c5",
                "command": "COPY . . # buildkit",
                "chainId": "sha256:75df0c59982f47cc38e730e1a122b67fceaaf7797d91e1fa17ffffc5cfe7ff59"
              }
            }
          }
        ]
      }
    }
  ]
}

限制

  • 在公开预览版期间,只能在 Container Analysis API 中查看密钥类型发生实例。
  • Artifact Analysis Secret 扫描报告最多会针对每个映像中的每个 Secret 报告一次发现。每次最多返回 1000 个文件位置。
  • 对于已识别的 Secret,可能会出现误报。在对映像执行任何操作之前,请务必验证每个已识别的密文。