From 0e524f790a98dfd6b044a1965e35391d379193c3 Mon Sep 17 00:00:00 2001 From: Talon Bowler Date: Tue, 2 Jul 2024 11:13:54 -0700 Subject: [PATCH] Add documentation for SecretsUsedInArgOrEnv rule Signed-off-by: Talon Bowler --- frontend/dockerfile/dockerfile2llb/convert.go | 2 +- frontend/dockerfile/dockerfile_lint_test.go | 8 +++++ frontend/dockerfile/docs/rules/_index.md | 4 +++ .../docs/rules/secrets-used-in-arg-or-env.md | 32 +++++++++++++++++++ .../linter/docs/SecretsUsedInArgOrEnv.md | 24 ++++++++++++++ frontend/dockerfile/linter/ruleset.go | 1 + 6 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 frontend/dockerfile/docs/rules/secrets-used-in-arg-or-env.md create mode 100644 frontend/dockerfile/linter/docs/SecretsUsedInArgOrEnv.md diff --git a/frontend/dockerfile/dockerfile2llb/convert.go b/frontend/dockerfile/dockerfile2llb/convert.go index a914625387e16..abfeebf75dff1 100644 --- a/frontend/dockerfile/dockerfile2llb/convert.go +++ b/frontend/dockerfile/dockerfile2llb/convert.go @@ -2363,7 +2363,7 @@ func validateNoSecretKey(key string, location []parser.Range, lint *linter.Linte "secret", "token", } - pattern := `(?i)(?:_|^)(?:`+strings.Join(secretTokens, "|")+`)(?:_|$)` + pattern := `(?i)(?:_|^)(?:` + strings.Join(secretTokens, "|") + `)(?:_|$)` if matched, _ := regexp.MatchString(pattern, key); matched { msg := linter.RuleSecretsUsedInArgOrEnv.Format(key) lint.Run(&linter.RuleSecretsUsedInArgOrEnv, location, msg) diff --git a/frontend/dockerfile/dockerfile_lint_test.go b/frontend/dockerfile/dockerfile_lint_test.go index 1ca9c438e4f0f..f08f2f1a92053 100644 --- a/frontend/dockerfile/dockerfile_lint_test.go +++ b/frontend/dockerfile/dockerfile_lint_test.go @@ -61,6 +61,7 @@ ENV git_key= RuleName: "SecretsUsedInArgOrEnv", Description: "Potentially sensitive data should not be used in the ARG or ENV commands", Detail: `Secrets should not be used in the ARG or ENV commands (key named "SECRET_PASSPHRASE")`, + URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/", Level: 1, Line: 3, }, @@ -68,6 +69,7 @@ ENV git_key= RuleName: "SecretsUsedInArgOrEnv", Description: "Potentially sensitive data should not be used in the ARG or ENV commands", Detail: `Secrets should not be used in the ARG or ENV commands (key named "SUPER_Secret")`, + URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/", Level: 1, Line: 4, }, @@ -75,6 +77,7 @@ ENV git_key= RuleName: "SecretsUsedInArgOrEnv", Description: "Potentially sensitive data should not be used in the ARG or ENV commands", Detail: `Secrets should not be used in the ARG or ENV commands (key named "password")`, + URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/", Level: 1, Line: 5, }, @@ -82,6 +85,7 @@ ENV git_key= RuleName: "SecretsUsedInArgOrEnv", Description: "Potentially sensitive data should not be used in the ARG or ENV commands", Detail: `Secrets should not be used in the ARG or ENV commands (key named "secret")`, + URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/", Level: 1, Line: 5, }, @@ -89,6 +93,7 @@ ENV git_key= RuleName: "SecretsUsedInArgOrEnv", Description: "Potentially sensitive data should not be used in the ARG or ENV commands", Detail: `Secrets should not be used in the ARG or ENV commands (key named "super_duper_secret_token")`, + URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/", Level: 1, Line: 6, }, @@ -96,6 +101,7 @@ ENV git_key= RuleName: "SecretsUsedInArgOrEnv", Description: "Potentially sensitive data should not be used in the ARG or ENV commands", Detail: `Secrets should not be used in the ARG or ENV commands (key named "auth")`, + URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/", Level: 1, Line: 6, }, @@ -103,6 +109,7 @@ ENV git_key= RuleName: "SecretsUsedInArgOrEnv", Description: "Potentially sensitive data should not be used in the ARG or ENV commands", Detail: `Secrets should not be used in the ARG or ENV commands (key named "apikey")`, + URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/", Level: 1, Line: 7, }, @@ -110,6 +117,7 @@ ENV git_key= RuleName: "SecretsUsedInArgOrEnv", Description: "Potentially sensitive data should not be used in the ARG or ENV commands", Detail: `Secrets should not be used in the ARG or ENV commands (key named "git_key")`, + URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/", Level: 1, Line: 8, }, diff --git a/frontend/dockerfile/docs/rules/_index.md b/frontend/dockerfile/docs/rules/_index.md index 7e7bb9a8d2392..8e1266602b5e0 100644 --- a/frontend/dockerfile/docs/rules/_index.md +++ b/frontend/dockerfile/docs/rules/_index.md @@ -84,5 +84,9 @@ $ docker build --check . RedundantTargetPlatform Setting platform to predefined $TARGETPLATFORM in FROM is redundant as this is the default behavior + + SecretsUsedInArgOrEnv + Potentially sensitive data should not be used in the ARG or ENV commands + diff --git a/frontend/dockerfile/docs/rules/secrets-used-in-arg-or-env.md b/frontend/dockerfile/docs/rules/secrets-used-in-arg-or-env.md new file mode 100644 index 0000000000000..496f9e8dc64e8 --- /dev/null +++ b/frontend/dockerfile/docs/rules/secrets-used-in-arg-or-env.md @@ -0,0 +1,32 @@ +--- +title: SecretsUsedInArgOrEnv +description: Potentially sensitive data should not be used in the ARG or ENV commands +aliases: + - /go/dockerfile/rule/secrets-used-in-arg-or-env/ +--- + +## Output + +```text +Potentially sensitive data should not be used in the ARG or ENV commands +``` + +## Description + +While it is common in many local development setups to pass secrets to running +processes through environment variables, setting these within a Dockerfile via +the `ENV` command means that these secrets will be committed to the build +history of the resulting image, exposing the secret. For the same reasons, +passing secrets in as build arguments, via the `ARG` command, will similarly +expose the secret. This rule reports violations where `ENV` and `ARG` key names +appear to be secret-related. + +## Examples + +❌ Bad: `AWS_SECRET_ACCESS_KEY` is a secret value. + +```dockerfile +FROM scratch +ARG AWS_SECRET_ACCESS_KEY +``` + diff --git a/frontend/dockerfile/linter/docs/SecretsUsedInArgOrEnv.md b/frontend/dockerfile/linter/docs/SecretsUsedInArgOrEnv.md new file mode 100644 index 0000000000000..1ad80ed7858b9 --- /dev/null +++ b/frontend/dockerfile/linter/docs/SecretsUsedInArgOrEnv.md @@ -0,0 +1,24 @@ +## Output + +```text +Potentially sensitive data should not be used in the ARG or ENV commands +``` + +## Description + +While it is common in many local development setups to pass secrets to running +processes through environment variables, setting these within a Dockerfile via +the `ENV` command means that these secrets will be committed to the build +history of the resulting image, exposing the secret. For the same reasons, +passing secrets in as build arguments, via the `ARG` command, will similarly +expose the secret. This rule reports violations where `ENV` and `ARG` key names +appear to be secret-related. + +## Examples + +❌ Bad: `AWS_SECRET_ACCESS_KEY` is a secret value. + +```dockerfile +FROM scratch +ARG AWS_SECRET_ACCESS_KEY +``` diff --git a/frontend/dockerfile/linter/ruleset.go b/frontend/dockerfile/linter/ruleset.go index 08949e0079e47..cd885d000809d 100644 --- a/frontend/dockerfile/linter/ruleset.go +++ b/frontend/dockerfile/linter/ruleset.go @@ -135,6 +135,7 @@ var ( RuleSecretsUsedInArgOrEnv = LinterRule[func(string) string]{ Name: "SecretsUsedInArgOrEnv", Description: "Potentially sensitive data should not be used in the ARG or ENV commands", + URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/", Format: func(secretKey string) string { return fmt.Sprintf("Secrets should not be used in the ARG or ENV commands (key named %q)", secretKey) },