search

zalando / spilo

Highly available elephant herd: HA PostgreSQL cluster using Docker
Apache License 2.0
1.51k stars 371 forks source link

Why do we need ssl-cert-snakeoil.key in the image? #996

Open mpv001 opened 1 month ago

mpv001 commented 1 month ago

I've been reviewing the exposedsecretreport for ghcr.io/zalando/spilo-15 and noticed that it has the ssl-cert-snakeoil.key file, Trivy is flagging it as a potential exposed secret. Is this used anywhere or is it just a dummy cert!

Configuration Options: Do we need this default key in the image?

See details below:

Secrets:
Category:  Asymmetric Private Key 
Match:     -----BEGIN PRIVATE KEY-----***********************************************-----END PRIVATE KEY
Rule ID:   private-key                     
Severity:  HIGH                                                                                                                            
Target:    /etc/ssl/private/ssl-cert-snakeoil.key          
Title:     Asymmetric Private Key