The distributed npm package contains keys as part of the test folder.
(Container) scanning tools like Twistlock raise compliance issues, e.g.
Type: compliance
Sev.: high
Description: Private keys stored in image
Found: /opt/app-root/node_modules/agent-base/test/ssl-cert-snakeoil.key
The files are not needed for running the app in production, and could be removed as part of the container build or I can add an .npmignore to ignore the test folder.
What was the expected behavior?
No test ssl keys in the package.
Reproduction
Step 1..
Step 2..
...
Environment
Version of this library used: jwks-rsa@1.12.3 and also try with jwks-rsa@2.0.5
Which framework are you using, if applicable:
Other modules/plugins/libraries that might be involved: None
Any other relevant information you think would be useful: No
Describe the problem
The distributed npm package contains keys as part of the test folder. (Container) scanning tools like Twistlock raise compliance issues, e.g.
The files are not needed for running the app in production, and could be removed as part of the container build or I can add an
.npmignoreto ignore the test folder.What was the expected behavior?
No test ssl keys in the package.
Reproduction
Environment