Private keys cause Trivy HIGH vulnerability alerts

[gmlewis]

When building a Docker image using this package, and then performing a Trivy scan on it, it reports HIGH vulnerability errors due to the private keys in the certs dir that are used for testing purposes on Travis:

/go/pkg/mod/github.com/lib/pq@v1.10.9/certs/postgresql.key (secrets)
====================================================================
Total: 1 (HIGH: 1, CRITICAL: 0)

HIGH: AsymmetricPrivateKey (private-key)
════════════════════════════════════════
Asymmetric Private Key
────────────────────────────────────────
 /go/pkg/mod/github.com/lib/pq@v1.10.9/certs/postgresql.key:1 (added by '[stage-1 3/5] COPY --chown=1001:1001 --f')
────────────────────────────────────────
   1 [ -----BEGIN PRIVATE KEY-----*************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END PRIVATE KEY-----
   2   
────────────────────────────────────────



/go/pkg/mod/github.com/lib/pq@v1.10.9/certs/server.key (secrets)
================================================================
Total: 1 (HIGH: 1, CRITICAL: 0)

HIGH: AsymmetricPrivateKey (private-key)
════════════════════════════════════════
Asymmetric Private Key
────────────────────────────────────────
 /go/pkg/mod/github.com/lib/pq@v1.10.9/certs/server.key:1 (added by '[stage-1 3/5] COPY --chown=1001:1001 --f')
────────────────────────────────────────
   1 [ -----BEGIN PRIVATE KEY-----***********************************************************************************************************************************************************************************************************************************************************************************************************************************-----END PRIVATE KEY-----
   2   
────────────────────────────────────────

One solution could be to delete the certs directory during the Docker image build, but I thought I should report this in case others run into the issue.

[zyv4yk]

+1 we have the same issue

as I see these files are needed for testing purposes so you can provide this in Travis settings or through repository secrets

[gmlewis]

@zyv4yk - I was curious how any of this code was getting into our Dockerfile in the first place, and it turns out that one of our developers did this in our Dockerfile:

# Make sure the dependencies persist
COPY --chown=1001:1001 --from=build-stage /go/pkg/mod /go/pkg/mod

Once we removed that, the Trivy vulnerability went away, so I recommend you take a look at how this code is actually getting into your container in the first place.

[johto]

as I see these files are needed for testing purposes so you can provide this in Travis settings or through repository secrets

What about people who clone the repo and want to run the tests?

[zyv4yk]

@gmlewis Thanks, will analyze my Dockerfile to find out how this is getting into container.