Remove cryptography docs to fix Trivy secret scan

dpark01 · dpark01 · commit 17399e532da5 · 2026-05-12T15:49:46.000-04:00
- Cryptography documentation contains example private keys in
  docs/hazmat/primitives/asymmetric/serialization.rst and
  docs/x509/ocsp.rst that trigger Trivy's secret scanner
- These are documentation examples, not real secrets
- Removing /opt/conda/lib/python3.12/site-packages/docs (cryptography-
  specific, confirmed via conf.py project name)
diff --git a/docker/Dockerfile.baseimage b/docker/Dockerfile.baseimage
@@ -63,11 +63,14 @@ COPY docker/install-conda-deps.sh /tmp/
 # Remove gcloud-crc32c — Go binary compiled with old Go stdlib (CVEs).
 # Remove gsutil's vendored urllib3 dummyserver — contains a dummy private key
 # that triggers secret-detection scanners (e.g. Trivy).
+# Remove cryptography documentation — contains example private keys that
+# trigger secret-detection scanners (e.g. Trivy).
 # gcloud/gsutil use the conda environment Python, not the bundled one.
 RUN /tmp/install-conda-deps.sh /tmp/requirements/baseimage.txt && \
     rm -rf /opt/conda/share/google-cloud-sdk-*/platform/bundledpythonunix && \
     rm -f /opt/conda/share/google-cloud-sdk-*/bin/gcloud-crc32c && \
     rm -rf /opt/conda/share/google-cloud-sdk-*/platform/gsutil/third_party/urllib3/dummyserver && \
+    rm -rf /opt/conda/lib/python3.12/site-packages/docs && \
     rm -rf /tmp/requirements /tmp/install-conda-deps.sh
 
 # Install firecloud via pip instead of conda because the conda noarch
