Trivy wrongly detects private keys in *.pyc files

[OverOrion]

Description

#7223 PR introduced this behaviour, which will result in false positives many times.

For example https://github.com/googleapis/google-auth-library-python/blob/main/google/auth/crypt/_python_rsa.py
contains the following string literals for detecting private keys:

_PKCS1_MARKER = ("-----BEGIN RSA PRIVATE KEY-----", "-----END RSA PRIVATE KEY-----")
_PKCS8_MARKER = ("-----BEGIN PRIVATE KEY-----", "-----END PRIVATE KEY-----")

Once this gets compiled into a *.pyc file, then running the strings command on it yields the following:

$ strings _python_rsa.cpython-312.pyc  | grep PRIV
-----BEGIN RSA PRIVATE KEY-----z
-----END RSA PRIVATE KEY-----)
-----BEGIN PRIVATE KEY-----z
-----END PRIVATE KEY-----c

And this will match (regex101) the given regular expression in your rule set:

(?i)-----\s*?BEGIN[ A-Z0-9_-]*?PRIVATE KEY( BLOCK)?\s*?-----[\s]*?(?P<secret>[A-Za-z0-9=+/\\\r\n][A-Za-z0-9=+/\\\s]+)[\s]*?-----\s*?END[ A-Z0-9_-]*? PRIVATE KEY( BLOCK)?\s*?-----

Desired Behavior

This should not be reported as a HIGH: AsymmetricPrivateKey (private-key).

The private key detection should not be just a regex.

Actual Behavior

Because of the validation logic this (and I believe many more will) gets reported as a published secret.

Reproduction Steps

See description

Target

None

Scanner

None

Output Format

None

Mode

None

Debug Output

Did not run it, there was no need.

Operating System

Ubuntu

Version

v0.56.0

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @OverOrion
Thanks for your report!

Created #7700

Regards, Dmitriy