扫描密文

Artifact Analysis 漏洞扫描可以识别存储在扫描映像中的密钥(例如服务账号密钥和 API 密钥)。 您可以在漏洞扫描的发生报告中查看有关这些密钥的信息,并采取措施来防止敏感信息泄露。

概览

当漏洞扫描检测到 Secret 时,Artifact Analysis 会创建一个包含 Secret 详细信息的 Secret 类型出现情况。 Artifact Analysis 可以检测以下密钥:

Secret

  • Anthropic 管理员密钥
  • Anthropic API 密钥
  • Azure 访问令牌
  • Azure ID 令牌
  • Docker Hub 个人访问令牌
  • GitHub 应用刷新令牌
  • GitHub 应用服务器到服务器令牌
  • GitHub 应用用户到服务器令牌
  • GitHub 传统个人访问令牌
  • GitHub 精细的个人访问令牌
  • GitHub OAuth 令牌
  • Google Cloud OAuth2(客户端 ID 和密钥)对
  • Google Cloud OAuth2 访问令牌
  • Google Cloud 服务账号密钥
  • Google Cloud API 密钥
  • Huggingface API 密钥
  • OpenAI API 密钥
  • Perplexity API 密钥
  • Stripe 受限密钥
  • Stripe 密钥
  • Stripe webhook 密钥

如需详细了解发生报告中的不同类型的密文,请参阅 Artifact Analysis API 文档中的 SecretKind

Artifact Analysis 只能检测以文本文件形式存储的 Secret。支持以下文件扩展名:

  • .cer
  • .cfg
  • .crt
  • .der
  • .env
  • .html
  • .key
  • .ipynb
  • .json
  • .log
  • .md
  • .pem
  • .py
  • .pypirc
  • .textproto
  • .toml
  • .txt
  • .xml
  • .yaml

准备工作

  1. 登录您的 Google Cloud 账号。如果您是 Google Cloud新手,请 创建一个账号来评估我们的产品在实际场景中的表现。新客户还可获享 $300 赠金,用于运行、测试和部署工作负载。

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. If you're using an existing project for this guide, verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

  4. Verify that billing is enabled for your Google Cloud project.

  5. Enable the Artifact Registry and Container Scanning APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

  6. 安装 Google Cloud CLI。

  7. 如果您使用的是外部身份提供方 (IdP),则必须先使用联合身份登录 gcloud CLI

  8. 如需初始化 gcloud CLI,请运行以下命令: 

    gcloud init

  9. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  10. If you're using an existing project for this guide, verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

  11. Verify that billing is enabled for your Google Cloud project.

  12. Enable the Artifact Registry and Container Scanning APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

  13. 安装 Google Cloud CLI。

  14. 如果您使用的是外部身份提供方 (IdP),则必须先使用联合身份登录 gcloud CLI

  15. 如需初始化 gcloud CLI,请运行以下命令: 

    gcloud init

启用此 API 还会启用 Artifact Registry 中的语言包扫描功能。请参阅支持的软件包类型

所需的角色

如需获得在漏洞扫描期间扫描映像中的密钥所需的权限,请让管理员向您授予项目的以下 IAM 角色:

如需详细了解如何授予角色,请参阅管理对项目、文件夹和组织的访问权限

您也可以通过自定义角色或其他预定义角色来获取所需的权限。

查看 Secret

如需在漏洞扫描后查看密钥,请执行以下操作:

  1. 将 Docker 映像推送到 Artifact Registry

  2. 等待漏洞扫描完成。

  3. 运行以下命令,列出扫描映像中出现的密钥:

    $ curl -G -H "Content-Type: application/json"   -H "Authorization: Bearer $(gcloud auth print-access-token)" --data-urlencode "filter=(kind=\"SECRET\" AND resourceUrl=\"RESOURCE_URL\")" https://containeranalysis.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/occurrences

    其中:

    • PROJECT_ID 是您的 Google Cloud 控制台项目 ID
    • LOCATION 是代码库的单区域或多区域位置
    • RESOURCE_URL 是扫描图片的网址,格式为 https://LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE_ID

    以下示例响应显示了可能的结果。在此示例中,系统在图片的 documents 目录中识别出了一个名为 my_api_key.yaml 的Google Cloud API 密钥。secret 属性显示有关发现的 Secret 的信息。

    {
  "occurrences": [
    {
      "name": "projects/my-project/locations/us-east1/occurrences/45619d23-66b1-4f5b-9b12-9060d7f97ff3",
      "resourceUri": "https://us-east1-docker.pkg.dev/my-project/my-images/test-image-0106@sha256:73cf5b9a788dc391c40e9cf1599144d03875b5d2dc935988ebfef8260bd2678e",
      "noteName": "projects/my-project/locations/us-east1/notes/secret_kind_gcp_api_key",
      "kind": "SECRET",
      "createTime": "2026-01-06T21:16:14.905851Z",
      "updateTime": "2026-01-06T21:16:14.905851Z",
      "secret": {
        "kind": "SECRET_KIND_GCP_API_KEY",
        "locations": [
          {
            "fileLocation": {
              "filePath": "documents/my_api_key.yaml",
              "layerDetails": {
                "index": 2,
                "diffId": "7b76df10d6d90391830392eac96b0ef2d2d43822c6ff4754aa6daea0fe14a8c5",
                "command": "COPY . . # buildkit",
                "chainId": "sha256:75df0c59982f47cc38e730e1a122b67fceaaf7797d91e1fa17ffffc5cfe7ff59"
              }
            }
          }
        ]
      }
    }
  ]
}

限制

  • 在公开预览版期间,只能在 Container Analysis API 中查看密钥类型发生实例。
  • Artifact Analysis Secret 扫描报告最多会针对每个映像中的每个 Secret 报告一次发现。每次最多返回 1000 个文件位置。
  • 对于已识别的 Secret,可能会出现误报。在对映像采取任何操作之前,请务必先验证每个已识别的密文。