Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Private keys cause Trivy HIGH vulnerability alerts #1158

Open
gmlewis opened this issue Apr 17, 2024 · 4 comments
Open

Private keys cause Trivy HIGH vulnerability alerts #1158

gmlewis opened this issue Apr 17, 2024 · 4 comments

Comments

@gmlewis
Copy link

gmlewis commented Apr 17, 2024

When building a Docker image using this package, and then performing a Trivy scan on it, it reports HIGH vulnerability errors due to the private keys in the certs dir that are used for testing purposes on Travis:

/go/pkg/mod/github.com/lib/[email protected]/certs/postgresql.key (secrets)
====================================================================
Total: 1 (HIGH: 1, CRITICAL: 0)

HIGH: AsymmetricPrivateKey (private-key)
════════════════════════════════════════
Asymmetric Private Key
────────────────────────────────────────
 /go/pkg/mod/github.com/lib/[email protected]/certs/postgresql.key:1 (added by '[stage-1 3/5] COPY --chown=1001:1001 --f')
────────────────────────────────────────
   1 [ -----BEGIN PRIVATE KEY-----*************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END PRIVATE KEY-----
   2   
────────────────────────────────────────



/go/pkg/mod/github.com/lib/[email protected]/certs/server.key (secrets)
================================================================
Total: 1 (HIGH: 1, CRITICAL: 0)

HIGH: AsymmetricPrivateKey (private-key)
════════════════════════════════════════
Asymmetric Private Key
────────────────────────────────────────
 /go/pkg/mod/github.com/lib/[email protected]/certs/server.key:1 (added by '[stage-1 3/5] COPY --chown=1001:1001 --f')
────────────────────────────────────────
   1 [ -----BEGIN PRIVATE KEY-----***********************************************************************************************************************************************************************************************************************************************************************************************************************************-----END PRIVATE KEY-----
   2   
────────────────────────────────────────

One solution could be to delete the certs directory during the Docker image build, but I thought I should report this in case others run into the issue.

@zyv4yk
Copy link

zyv4yk commented Apr 18, 2024

+1 we have the same issue

as I see these files are needed for testing purposes so you can provide this in Travis settings or through repository secrets

@gmlewis
Copy link
Author

gmlewis commented Apr 18, 2024

@zyv4yk - I was curious how any of this code was getting into our Dockerfile in the first place, and it turns out that one of our developers did this in our Dockerfile:

# Make sure the dependencies persist
COPY --chown=1001:1001 --from=build-stage /go/pkg/mod /go/pkg/mod

Once we removed that, the Trivy vulnerability went away, so I recommend you take a look at how this code is actually getting into your container in the first place.

@johto
Copy link
Contributor

johto commented Apr 18, 2024

as I see these files are needed for testing purposes so you can provide this in Travis settings or through repository secrets

What about people who clone the repo and want to run the tests?

@zyv4yk
Copy link

zyv4yk commented Apr 19, 2024

@gmlewis Thanks, will analyze my Dockerfile to find out how this is getting into container.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants