fix: scrub more Xray secret false positives + universal METADATA trun…#207
Merged
fix: scrub more Xray secret false positives + universal METADATA trun…#207
Conversation
…cation
Adds a second round of scrubs in response to a fresh customer Xray scan
that surfaced new findings the first round of fixes didn't address.
Local `jf docker scan --secrets` against trialwyikk8 (same engine the
customer's entplus.jfrog.io uses) drops from the original 144 customer
violations to 59 residual ignore-rule items.
What's new in this commit (cumulative deltas vs the first scrub round):
- Strip Python type-stub `.pyi` files from /code/deps. They are read by
type checkers and IDEs only, never loaded at runtime. Generated proto
stubs (`_pb2.pyi`) contain long string literals that trip secret
detectors. (Drops `drdroid_debug_toolkit/.../api_pb2.pyi` finding.)
- `rm -rf /build/deps/dj_rest_auth/tests` — wheel ships its test suite
with sample passwords inside; never imported at runtime. (Drops the
`dj_rest_auth/tests/test_api.py:250` finding.)
- Universal METADATA truncation — keep only the structured headers
(`Name:`, `Version:`, `Requires-Dist:`, etc.) by truncating each
`dist-info/METADATA` file at the first blank line. The long-form
description body (which contains README markdown with CodeCov badge
tokens, JWT examples, link-reference URLs) is what trips detectors.
Verified `importlib.metadata.version("pyjwt")` still returns 2.12.1
after truncation; vpc-agent code does not call `importlib.metadata`
for description access. Generic — applies to all 165 dist-info
METADATA files in the image. Replaces the previous targeted
`azure_identity / dj_database_url / pyjwt` truncation block.
- `google/oauth2/gdch_credentials.py` docstring example: replace the
`-----BEGIN EC PRIVATE KEY-----\n<key bytes>\n-----END EC PRIVATE
KEY-----` placeholder with `<private-key-pem>` since the BEGIN/END
PEM markers themselves trip detectors.
- `google/auth/aws.py` docstring example: replace the three
`http://169.254.169.254/latest/...` IMDS URLs with placeholders so
the docstring stops tripping IP-literal heuristics.
- `sqlalchemy/dialects/mssql/pyodbc.py` docstring example: replace
`https://database.windows.net/` Azure SQL token URL with a
placeholder.
The remaining 59 secrets in the v3 image are all third-party variable
identifiers (TOKEN_*/SAML_*/_AWS_*/secret_*/password) and OpenAPI
field-name maps that cannot be renamed without breaking runtime
imports, K8s API serialization, msal's WS-Trust parsing, or Django's
i18n labels. Documented in the local triage notes.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
sidPhoenix17
approved these changes
Apr 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…cation
Adds a second round of scrubs in response to a fresh customer Xray scan that surfaced new findings the first round of fixes didn't address. Local
jf docker scan --secretsagainst trialwyikk8 (same engine the customer's entplus.jfrog.io uses) drops from the original 144 customer violations to 59 residual ignore-rule items.What's new in this commit (cumulative deltas vs the first scrub round):
.pyifiles from /code/deps. They are read by type checkers and IDEs only, never loaded at runtime. Generated proto stubs (_pb2.pyi) contain long string literals that trip secret detectors. (Dropsdrdroid_debug_toolkit/.../api_pb2.pyifinding.)rm -rf /build/deps/dj_rest_auth/tests— wheel ships its test suite with sample passwords inside; never imported at runtime. (Drops thedj_rest_auth/tests/test_api.py:250finding.)Name:,Version:,Requires-Dist:, etc.) by truncating eachdist-info/METADATAfile at the first blank line. The long-form description body (which contains README markdown with CodeCov badge tokens, JWT examples, link-reference URLs) is what trips detectors. Verifiedimportlib.metadata.version("pyjwt")still returns 2.12.1 after truncation; vpc-agent code does not callimportlib.metadatafor description access. Generic — applies to all 165 dist-info METADATA files in the image. Replaces the previous targetedazure_identity / dj_database_url / pyjwttruncation block.google/oauth2/gdch_credentials.pydocstring example: replace the-----BEGIN EC PRIVATE KEY-----\n<key bytes>\n-----END EC PRIVATE KEY-----placeholder with<private-key-pem>since the BEGIN/END PEM markers themselves trip detectors.google/auth/aws.pydocstring example: replace the threehttp://169.254.169.254/latest/...IMDS URLs with placeholders so the docstring stops tripping IP-literal heuristics.sqlalchemy/dialects/mssql/pyodbc.pydocstring example: replacehttps://database.windows.net/Azure SQL token URL with a placeholder.The remaining 59 secrets in the v3 image are all third-party variable identifiers (TOKEN_/SAML_/AWS/secret_/password) and OpenAPI field-name maps that cannot be renamed without breaking runtime imports, K8s API serialization, msal's WS-Trust parsing, or Django's i18n labels. Documented in the local triage notes.