Security scan flags up the token being printed

[CynanX]

When including PyJWT in a lambda which I build into a Docker image, I then run Trivy to scan for vulnerabilities and this is picking up a security risk due to a token being exposed.

Expected Result

Trivy passes without exception.

Actual Result

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
MEDIUM: JWT (jwt-token)
════════════════════════════════════════
JWT token
────────────────────────────────────────
 /var/task/PyJWT-2.8.0.dist-info/METADATA:90 (added by 'COPY /var/task /var/task # buildkit')
────────────────────────────────────────
  88       >>> encoded = jwt.encode({"some": "payload"}, "secret", algorithm="HS256")
  89       >>> print(encoded)
  90 [     *********************************************************************************************************
  91       >>> jwt.decode(encoded, "secret", algorithms=["HS256"])

Reproduction steps

• Create a Docker image with Python code using PyPWT
• Run Trivy against the built image

System Information

$ python -m jwt.help

{
  "cryptography": {
    "version": "41.0.2"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.11.6"
  },
  "platform": {
    "release": "23.1.0",
    "system": "Darwin"
  },
  "pyjwt": {
    "version": "2.8.0"
  }
}

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

[CynanX]

Any update on this?

[jpadilla]

I don't particularly think this is something we need to change. I'd suggest looking at how to configure Trivy to mark this as a false positive.

[AndreiPaulau]

Hello,

I agree, that's not pyjwt issue.

But, could you please check the latest comment? https://github.com/aquasecurity/trivy/discussions/5772

Would it be possible to add markers like test or example? {"example": "payload"} or kind of that?

Thanks