掃描密鑰

Artifact Analysis 安全漏洞掃描可識別儲存在掃描映像檔中的密鑰,例如服務帳戶金鑰和 API 金鑰。您可以在安全漏洞掃描的發生報告中查看這些密碼的相關資訊,並採取行動防止私密資訊曝光。

總覽

如果安全漏洞掃描偵測到密鑰,Artifact Analysis 會建立密鑰類型的發生項目,並提供密鑰詳細資料。構件分析可以偵測下列密鑰:

Secret

  • Anthropic 管理員金鑰
  • Anthropic API 金鑰
  • Azure 存取權杖
  • Azure ID 權杖
  • Docker Hub 個人存取權杖
  • GitHub 應用程式更新權杖
  • GitHub 應用程式伺服器對伺服器權杖
  • GitHub 應用程式使用者對伺服器權杖
  • GitHub 傳統個人存取權杖
  • GitHub 細部個人存取權杖
  • GitHub OAuth 權杖
  • Google Cloud OAuth2 (用戶端 ID 和密鑰) 配對
  • Google Cloud OAuth2 存取權杖
  • Google Cloud 服務帳戶金鑰
  • Google Cloud API 金鑰
  • Huggingface API 金鑰
  • OpenAI API 金鑰
  • Perplexity API 金鑰
  • Stripe 受限金鑰
  • Stripe 密鑰
  • Stripe Webhook 密鑰

如要進一步瞭解發生事項報告中的不同類型密碼,請參閱 Artifact Analysis API 說明文件中的 SecretKind

Artifact Analysis 只能偵測以文字檔案形式儲存的密碼。支援的副檔名如下:

  • .cer
  • .cfg
  • .crt
  • .der
  • .env
  • .html
  • .key
  • .ipynb
  • .json
  • .log
  • .md
  • .pem
  • .py
  • .pypirc
  • .textproto
  • .toml
  • .txt
  • .xml
  • .yaml

事前準備

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. 如果您要使用現有專案完成本指南,請確認您擁有完成本指南所需的權限。如果您建立新專案,則已具備必要權限。

  4. Verify that billing is enabled for your Google Cloud project.

  5. Enable the Artifact Registry and Container Scanning APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

  6. Install the Google Cloud CLI.

  7. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  8. To initialize the gcloud CLI, run the following command: 

    gcloud init

  9. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  10. 如果您要使用現有專案完成本指南,請確認您擁有完成本指南所需的權限。如果您建立新專案,則已具備必要權限。

  11. Verify that billing is enabled for your Google Cloud project.

  12. Enable the Artifact Registry and Container Scanning APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

  13. Install the Google Cloud CLI.

  14. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  15. To initialize the gcloud CLI, run the following command: 

    gcloud init

啟用這項 API 後,系統也會在 Artifact Registry 中進行語言套件掃描。請參閱支援的套件類型

必要的角色

如要取得在執行弱點掃描時掃描映像檔中的密鑰所需的權限,請要求管理員在專案中授予您下列 IAM 角色:

如要進一步瞭解如何授予角色,請參閱「管理專案、資料夾和組織的存取權」。

您或許也能透過自訂角色或其他預先定義的角色,取得必要權限。

查看密鑰

如要在安全漏洞掃描後查看密碼,請按照下列步驟操作:

  1. 將 Docker 映像檔推送至 Artifact Registry

  2. 等待完成安全漏洞掃描。

  3. 執行下列指令,列出掃描映像檔的密鑰出現次數:

    $ curl -G -H "Content-Type: application/json"   -H "Authorization: Bearer $(gcloud auth print-access-token)" --data-urlencode "filter=(kind=\"SECRET\" AND resourceUrl=\"RESOURCE_URL\")" https://containeranalysis.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/occurrences

    其中:

    • PROJECT_ID 是您的 Google Cloud 主控台專案 ID
    • LOCATION 是存放區的區域或多區域位置
    • RESOURCE_URL 是掃描圖片的網址,格式為 https://LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE_ID

    以下範例回應顯示可能的結果。在本例中,系統在圖片的 documents 目錄中,識別出名為 my_api_key.yaml 的Google Cloud API 金鑰。secret 屬性會顯示所發現密鑰的相關資訊。

    {
  "occurrences": [
    {
      "name": "projects/my-project/locations/us-east1/occurrences/45619d23-66b1-4f5b-9b12-9060d7f97ff3",
      "resourceUri": "https://us-east1-docker.pkg.dev/my-project/my-images/test-image-0106@sha256:73cf5b9a788dc391c40e9cf1599144d03875b5d2dc935988ebfef8260bd2678e",
      "noteName": "projects/my-project/locations/us-east1/notes/secret_kind_gcp_api_key",
      "kind": "SECRET",
      "createTime": "2026-01-06T21:16:14.905851Z",
      "updateTime": "2026-01-06T21:16:14.905851Z",
      "secret": {
        "kind": "SECRET_KIND_GCP_API_KEY",
        "locations": [
          {
            "fileLocation": {
              "filePath": "documents/my_api_key.yaml",
              "layerDetails": {
                "index": 2,
                "diffId": "7b76df10d6d90391830392eac96b0ef2d2d43822c6ff4754aa6daea0fe14a8c5",
                "command": "COPY . . # buildkit",
                "chainId": "sha256:75df0c59982f47cc38e730e1a122b67fceaaf7797d91e1fa17ffffc5cfe7ff59"
              }
            }
          }
        ]
      }
    }
  ]
}

限制

  • 在密碼掃描公開測試期間,密碼類型例項只能透過 Container Analysis API 查看。
  • Artifact Analysis 密碼掃描報告最多只會針對每個映像檔中的每個密碼,回報一個例項。每個事件最多會傳回 1,000 個檔案位置。
  • 系統可能會誤判已識別的密碼。請務必先驗證每個識別出的密碼,再對圖片採取任何行動。