secrets module falsely reports github-app-token after something was already deleted

[jghiloni]

IDs

github-app-token

Description

In a docker build, I have

# Include a private github token to download private repos in requirements.txt
RUN --mount=type=secret,id=github-token,env=GH_TOKEN \
    git config --global --add url.https://xapp:${GH_TOKEN}@git.colasdn.top.insteadOf https://github.com

then later in the Dockerfile I have

# This file has a PAT in it now
RUN rm /root/.gitconfig

However, when I run aquasecurity/[email protected], I get this:

havrioncore.azurecr.io/iptv-contentserver-pr:latest (alpine 3.21.3)
===================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


/root/.gitconfig (secrets)
==========================
Total: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: GitHub (github-app-token)
════════════════════════════════════════
GitHub App Token
────────────────────────────────────────
 /root/.gitconfig:1 (added by 'RUN /bin/sh -c git config --global --add')
────────────────────────────────────────
   1 [ [url "***github.com"]
   2   	insteadOf = https://github.com/
────────────────────────────────────────

I have verified that that file no longer exists in the built image. Here's the step definition I have to call the action:

      - id: scan-container
        uses: aquasecurity/[email protected]
        with:
          scan-ref: ${{steps.build-container.outputs.image-ref}}
          format: table
          exit-code: "1"
          ignore-unfixed: true
          vuln-type: "os,library"
          severity: "CRITICAL,HIGH"

Suggestions of what's up are welcome. I don't really want to add this to .trivyignore but ... can't move forward without it.

Reproduction Steps

1. Have a docker image with these two steps in it:

# Include a private github token to download private repos in requirements.txt
RUN --mount=type=secret,id=github-token,env=GH_TOKEN \
    git config --global --add url.https://xapp:${GH_TOKEN}@git.colasdn.top.insteadOf https://github.com

then later in the Dockerfile I have

# This file has a PAT in it now
RUN rm /root/.gitconfig

2. Build the image
3. Scan the image

### Target

Container Image

### Scanner

Secret

### Target OS

_No response_

### Debug Output

```bash
havrioncore.azurecr.io/iptv-contentserver-pr:latest (alpine 3.21.3)
===================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


/root/.gitconfig (secrets)
==========================
Total: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: GitHub (github-app-token)
════════════════════════════════════════
GitHub App Token
────────────────────────────────────────
 /root/.gitconfig:1 (added by 'RUN /bin/sh -c git config --global --add')
────────────────────────────────────────
   1 [ [url "***github.com"]
   2   	insteadOf = https://github.com
────────────────────────────────────────

Version

v0.56.1 (from github action)

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[knqyf263]

Files deleted across layers remain stored within the layer. You can confirm this by using tools like docker save, which will show that the secret is still recorded. Therefore, detecting it is the correct behavior. If you combine the RUN instructions into a single layer as shown below, it should no longer be detected.

RUN --mount=type=secret,id=github-token,env=GH_TOKEN \
    git config --global --add url.https://xapp:${GH_TOKEN}@git.colasdn.top.insteadOf https://github.com &&
        rm /root/.gitconfig