-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lint Rule for catching common secret related env/arg keys #5105
Conversation
bdc83e4
to
81c05a9
Compare
81c05a9
to
53d8e75
Compare
…ommon secret names Signed-off-by: Talon Bowler <talon.bowler@docker.com>
53d8e75
to
6e04857
Compare
Signed-off-by: Talon Bowler <talon.bowler@docker.com>
/cc @dvdksn for some docs support 😄 |
4ff538e
to
0e524f7
Compare
passing secrets in as build arguments, via the `ARG` command, will similarly | ||
expose the secret. This rule reports violations where `ENV` and `ARG` key names | ||
appear to be secret-related. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should explain that build secrets or SSH forwarding should be used instead to configure build with sensitive credentials in a secure way. Example can show build secret in action. We can link to https://docs.docker.com/build/building/secrets/ for extra reading.
cc @dvdksn
Signed-off-by: Talon Bowler <talon.bowler@docker.com>
0e524f7
to
14e2cab
Compare
Co-authored-by: David Karlsson <35727626+dvdksn@users.noreply.github.com> Signed-off-by: Talon James Bowler <nolat301@gmail.com>
Co-authored-by: David Karlsson <35727626+dvdksn@users.noreply.github.com> Signed-off-by: Talon James Bowler <nolat301@gmail.com>
Signed-off-by: Talon Bowler <talon.bowler@docker.com>
…v rule description Signed-off-by: Talon Bowler <talon.bowler@docker.com>
Adds a
SecretsUsedInArgOrEnv
lint rule check that checks for common secret-related prefixes or affixes in ENV and ARG keys.Example Dockerfile
Produces the following lint warnings.