Open gmlewis opened 5 months ago
+1 we have the same issue
as I see these files are needed for testing purposes so you can provide this in Travis settings or through repository secrets
@zyv4yk - I was curious how any of this code was getting into our Dockerfile
in the first place, and it turns out that one of our developers did this in our Dockerfile
:
# Make sure the dependencies persist
COPY --chown=1001:1001 --from=build-stage /go/pkg/mod /go/pkg/mod
Once we removed that, the Trivy vulnerability went away, so I recommend you take a look at how this code is actually getting into your container in the first place.
as I see these files are needed for testing purposes so you can provide this in Travis settings or through repository secrets
What about people who clone the repo and want to run the tests?
@gmlewis Thanks, will analyze my Dockerfile
to find out how this is getting into container.
When building a Docker image using this package, and then performing a Trivy scan on it, it reports HIGH vulnerability errors due to the private keys in the
certs
dir that are used for testing purposes on Travis:One solution could be to delete the
certs
directory during the Docker image build, but I thought I should report this in case others run into the issue.