Skip to content

[v17] Strip VCS build information from go builds#61540

Merged
hugoShaka merged 1 commit intobranch/v17from
bot/backport-61502-branch/v17
Nov 19, 2025
Merged

[v17] Strip VCS build information from go builds#61540
hugoShaka merged 1 commit intobranch/v17from
bot/backport-61502-branch/v17

Conversation

@hugoShaka
Copy link
Copy Markdown
Contributor

@hugoShaka hugoShaka commented Nov 19, 2025

Backport #61502 to branch/v17

changelog: Prevented Trivy from reporting false positives when scanning the Teleport binaries.

@hugoShaka
Strip VCS build information from go builds
2441436 
Scanners such as trivy are misinterpreting the go pseudoversions
describing which commit was used to build the project.
See: aquasecurity/trivy#9446

This causes false positives and considerable toil for our support team
as every user/customer is seeing trivy reporting that Teleport is
affected by CVE-2022-36633 (it is not).

Trivy doesn't seem to want to fix their tool so we must strip VCS
information from the go binary to stop the false positives.

This actually makes the binaries _less traceable_, but this is the only
workaround to reduce the noise caused by those tools.
@github-actions github-actions bot requested review from espadolini and zmb3 November 19, 2025 19:03
@hugoShaka hugoShaka added this pull request to the merge queue Nov 19, 2025
Merged via the queue into branch/v17 with commit d3ba918 Nov 19, 2025
40 checks passed
@hugoShaka hugoShaka deleted the bot/backport-61502-branch/v17 branch November 19, 2025 22:22
@doggydogworld doggydogworld mentioned this pull request Dec 8, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@espadolini espadolini espadolini approved these changes

@zmb3 zmb3 zmb3 approved these changes

Assignees

No one assigned

Labels

backport size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hugoShaka @espadolini @zmb3