Vulnerability scanner is flagging the image (v1.15) for containing private keys

[rivky9505]

Hello 👋

We recently added a vulnerability scan on the fluentd image (v1.15) using a Check-Point tool called SourceGuard, the scan results are flagging fluentd images for containing test certs. For example:

/usr/local/bundle/gems/fluentd-1.14.0/test/plugin_helper/data/cert/cert_chains/ca-cert-key.pem
/usr/local/bundle/gems/fluentd-1.14.0/test/plugin_helper/data/cert/with_ca/cert-key.pem
/usr/local/bundle/gems/fluentd-1.14.0/test/plugin_helper/data/cert/without_ca/cert-key.pem
/usr/local/bundle/gems/fluentd-1.14.0/test/plugin_helper/data/cert/with_ca/cert-key-pass.pem
/usr/local/bundle/gems/fluentd-1.14.0/test/plugin_helper/data/cert/without_ca/cert-key-pass.pem
/usr/local/bundle/gems/fluentd-1.14.0/test/plugin_helper/data/cert/cert-key.pem
/usr/local/bundle/gems/fluentd-1.14.0/test/plugin_helper/data/cert/cert_chains/cert-key.pem
/usr/local/bundle/gems/fluentd-1.14.0/test/plugin_helper/data/cert/with_ca/ca-cert-key-pass.pem
/usr/local/bundle/gems/fluentd-1.14.0/test/plugin_helper/data/cert/with_ca/ca-cert-key.pem

I think these test certs (and probably the entire test folder) could be removed from the final docker image. WDYT? I'd be happy to contribute a PR.

Thanks!

[kenhys]

As you mentioned, it is prepared for testing purposes. PRs are welcome.