Skip to content

fix(security): scope Trivy private-key ignore to vendored openssl doc (false positive)#116

Open
seonghobae wants to merge 1 commit into
masterfrom
fix/trivy-ignore-vendored-doc-key
Open

fix(security): scope Trivy private-key ignore to vendored openssl doc (false positive)#116
seonghobae wants to merge 1 commit into
masterfrom
fix/trivy-ignore-vendored-doc-key

Conversation

@seonghobae

Copy link
Copy Markdown
Collaborator

Finding

Trivy's Secret scanner reports 2× HIGH AsymmetricPrivateKey (rule id: private-key) in:

packrat/lib/x86_64-pc-linux-gnu/3.4.1/openssl/doc/keys.html:166-168
packrat/lib/x86_64-pc-linux-gnu/3.4.1/openssl/doc/keys.html:173-177

This file is vendored upstream documentation for the R openssl package (checked in under packrat/ for reproducible builds). The PEM blocks are example keys printed by the doc's own write_pem() demonstration — published upstream example material, not a live credential. It is a false positive.

Fix

A path-scoped, documented suppression — not a global disable of the rule:

  • .trivyignore.yaml — ignores rule private-key for packrat/lib/**/openssl/doc/keys.html only.
  • trivy.yaml — sets ignorefile: .trivyignore.yaml so the YAML ignore applies on a bare trivy fs .. (Trivy 0.71.x auto-detects only a plain, line-based .trivyignore, which cannot scope a rule to a path; the trivy.yaml companion is what enables path scoping without weakening detection elsewhere.)

Real private keys committed anywhere else in the repo still fail the scan — verified by copying the same key content to another path, which still reports HIGH.

Local verification (Trivy 0.71.1, fresh vuln DB)

Command (identical before and after):

trivy fs . --scanners vuln,secret,misconfig --severity CRITICAL,HIGH --ignore-unfixed
private-key (HIGH) new CRITICAL/HIGH
before 2
after 0 none introduced

No application/build/runtime behavior is affected — only scanner configuration is added.

🤖 Generated with Claude Code

Trivy's Secret scanner flags 2x HIGH AsymmetricPrivateKey (rule id:
private-key) in
packrat/lib/x86_64-pc-linux-gnu/3.4.1/openssl/doc/keys.html. That file is
vendored upstream documentation for the R "openssl" package; the PEM blocks
are EXAMPLE keys emitted by the doc's own write_pem() demonstration, not a
live credential. This is a false positive.

Add a path-scoped, documented suppression instead of globally disabling the
rule:
  - .trivyignore.yaml scopes the `private-key` ignore to
    packrat/lib/**/openssl/doc/keys.html only.
  - trivy.yaml sets `ignorefile: .trivyignore.yaml` so the YAML ignore is
    applied on a bare `trivy fs .` (Trivy 0.71.x auto-detects only a plain,
    non-path-scoped .trivyignore).

Real private keys committed anywhere else in the repo still fail the scan
(verified: same key content at another path still reports HIGH).

Local verification (trivy 0.71.1, fresh DB):
  trivy fs . --scanners vuln,secret,misconfig --severity CRITICAL,HIGH --ignore-unfixed
  before: 2 HIGH private-key   after: 0 (no new CRITICAL/HIGH introduced)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RTAMs4bpSZS77Xe3RQjv9P
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant