| 685 | } |
| 686 | |
| 687 | func (s *composeService) checkForSensitiveData(ctx context.Context, project *types.Project) ([]secrets.DetectedSecret, error) { |
| 688 | var allFindings []secrets.DetectedSecret |
| 689 | scan := scanner.NewDefaultScanner() |
| 690 | // Check all compose files |
| 691 | for _, file := range project.ComposeFiles { |
| 692 | in, err := composeFileAsByteReader(ctx, file, project) |
| 693 | if err != nil { |
| 694 | return nil, err |
| 695 | } |
| 696 | |
| 697 | findings, err := scan.ScanReader(in) |
| 698 | if err != nil { |
| 699 | return nil, fmt.Errorf("failed to scan compose file %s: %w", file, err) |
| 700 | } |
| 701 | allFindings = append(allFindings, findings...) |
| 702 | } |
| 703 | for _, service := range project.Services { |
| 704 | // Check env files |
| 705 | for _, envFile := range service.EnvFiles { |
| 706 | if _, statErr := os.Stat(envFile.Path); statErr != nil { |
| 707 | if !os.IsNotExist(statErr) { |
| 708 | return nil, fmt.Errorf("failed to access env file %s: %w", envFile.Path, statErr) |
| 709 | } |
| 710 | if envFile.Required { |
| 711 | return nil, fmt.Errorf("env file %s not found", envFile.Path) |
| 712 | } |
| 713 | continue |
| 714 | } |
| 715 | findings, err := scan.ScanFile(envFile.Path) |
| 716 | if err != nil { |
| 717 | return nil, fmt.Errorf("failed to scan env file %s: %w", envFile.Path, err) |
| 718 | } |
| 719 | allFindings = append(allFindings, findings...) |
| 720 | } |
| 721 | } |
| 722 | |
| 723 | // Check configs defined by files |
| 724 | for _, config := range project.Configs { |
| 725 | if config.File != "" { |
| 726 | findings, err := scan.ScanFile(config.File) |
| 727 | if err != nil { |
| 728 | return nil, fmt.Errorf("failed to scan config file %s: %w", config.File, err) |
| 729 | } |
| 730 | allFindings = append(allFindings, findings...) |
| 731 | } |
| 732 | } |
| 733 | |
| 734 | // Check secrets defined by files |
| 735 | for _, secret := range project.Secrets { |
| 736 | if secret.File != "" { |
| 737 | findings, err := scan.ScanFile(secret.File) |
| 738 | if err != nil { |
| 739 | return nil, fmt.Errorf("failed to scan secret file %s: %w", secret.File, err) |
| 740 | } |
| 741 | allFindings = append(allFindings, findings...) |
| 742 | } |
| 743 | } |
| 744 | |