Remove gsutil vendored urllib3 dummyserver containing dummy private key

dpark01 · claude · dpark01 · commit 5b95d7a4136b · 2026-03-26T08:09:23.000-04:00
The dummyserver directory includes a test private key that triggers
Trivy secret-detection alerts. Removed in the same layer as the
google-cloud-sdk install so no layer ever contains it.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/docker/Dockerfile.baseimage b/docker/Dockerfile.baseimage
@@ -61,10 +61,13 @@ COPY docker/install-conda-deps.sh /tmp/
 # Remove google-cloud-sdk's bundled Python — it contains vendored copies of
 # cryptography, pyOpenSSL, etc. that are older than what we install via conda.
 # Remove gcloud-crc32c — Go binary compiled with old Go stdlib (CVEs).
+# Remove gsutil's vendored urllib3 dummyserver — contains a dummy private key
+# that triggers secret-detection scanners (e.g. Trivy).
 # gcloud/gsutil use the conda environment Python, not the bundled one.
 RUN /tmp/install-conda-deps.sh /tmp/requirements/baseimage.txt && \
     rm -rf /opt/conda/share/google-cloud-sdk-*/platform/bundledpythonunix && \
     rm -f /opt/conda/share/google-cloud-sdk-*/bin/gcloud-crc32c && \
+    rm -rf /opt/conda/share/google-cloud-sdk-*/platform/gsutil/third_party/urllib3/dummyserver && \
     rm -rf /tmp/requirements /tmp/install-conda-deps.sh
 
 # Install firecloud via pip instead of conda because the conda noarch
