Context
The Flagsmith Enterprise container image ships with the Django test-settings module at:
/app/app/settings/test.py
This file contains a SUBSCRIPTION_LICENCE_PRIVATE_KEY test fixture (an RSA private key) used only by the unit test suite to validate license signature logic. It is only loaded when DJANGO_SETTINGS_MODULE=app.settings.test, so it is not used at runtime in any production or Enterprise deployment. The key is also already public as part of the open-source repo (api/app/settings/test.py), so it is not a real secret exposure.
However, because the file is present inside the production image, security scanners flag it as a High-severity finding (private key embedded in container). This blocks compliance workflows for Enterprise customers whose internal policies require all High severity findings to be resolved before production rollout.
Proposed fix
Exclude app/settings/test.py (and other test-only fixtures, if any) from the production Enterprise Docker image build. Options to consider:
- Use a multi-stage Dockerfile that copies only the production settings files
- Add a
.dockerignore exclusion for test settings in the Enterprise image context
- Move the test RSA keypair into the test suite itself (e.g. under
tests/) so it never ships with the application code
Impact
- Unblocks Enterprise customers whose security reviews flag the file
- Reduces false positive security findings across all Enterprise deployments
- No functional impact on production runtime
References
Context
The Flagsmith Enterprise container image ships with the Django test-settings module at:
This file contains a
SUBSCRIPTION_LICENCE_PRIVATE_KEYtest fixture (an RSA private key) used only by the unit test suite to validate license signature logic. It is only loaded whenDJANGO_SETTINGS_MODULE=app.settings.test, so it is not used at runtime in any production or Enterprise deployment. The key is also already public as part of the open-source repo (api/app/settings/test.py), so it is not a real secret exposure.However, because the file is present inside the production image, security scanners flag it as a High-severity finding (private key embedded in container). This blocks compliance workflows for Enterprise customers whose internal policies require all High severity findings to be resolved before production rollout.
Proposed fix
Exclude
app/settings/test.py(and other test-only fixtures, if any) from the production Enterprise Docker image build. Options to consider:.dockerignoreexclusion for test settings in the Enterprise image contexttests/) so it never ships with the application codeImpact
References