False Positive: Hugging Face Access Token

[pascal-pfeiffer]

IDs

Hugging Face Access Token

Description

Running uv with the --compile-bytecode flag produces compiled pyc files from the source files. For the vllm python package, these following files are flagged to contain the Hugging Face Access Token.
I believe this is a false positive detection due to rather loose regex to detect these

https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go#L178

Regex:           MustCompileWithoutWordPrefix(`?P<secret>hf_[A-Za-z0-9]{34,40}`),

FYI:
Link of

Read the documentation regarding wrong detection

is broken.

Reproduction Steps

1. Have vllm==0.13.0 python dependency. 
2. Run `uv` with the `--compile-bytecode`
3. Trivy will detect `Hugging Face Access Tokens` in some of the compiled files (see above)

Target

Container Image

Scanner

Secret

Target OS

No response

Debug Output

/site-packages/vllm/model_executor/models/__pycache__/deepseek_ocr.cpython-312.pyc (secrets)
============================================================================================
Total: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: HuggingFace (hugging-face-access-token)
════════════════════════════════════════
Hugging Face Access Token
────────────────────────────────────────



/site-packages/vllm/model_executor/models/__pycache__/nano_nemotron_vl.cpython-312.pyc (secrets)
================================================================================================
Total: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: HuggingFace (hugging-face-access-token)
════════════════════════════════════════
Hugging Face Access Token
────────────────────────────────────────



/site-packages/vllm/model_executor/models/__pycache__/paddleocr_vl.cpython-312.pyc (secrets)
============================================================================================
Total: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: HuggingFace (hugging-face-access-token)
════════════════════════════════════════
Hugging Face Access Token
────────────────────────────────────────



/site-packages/vllm/multimodal/__pycache__/processing.cpython-312.pyc (secrets)
===============================================================================
Total: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: HuggingFace (hugging-face-access-token)
════════════════════════════════════════
Hugging Face Access Token
────────────────────────────────────────

Version

v0.68.2

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct