rspec/rules/S6472/docker/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

[source,docker]
----
FROM example
# Sensitive
ARG ACCESS_TOKEN
# Sensitive
ENV ACCESS_TOKEN=${ACCESS_TOKEN}
CMD /run.sh
----

== Compliant Solution

For build time secrets, use https://docs.docker.com/engine/reference/builder/#run---mounttypesecret[Buildkit's secret mount type] instead:
[source,docker]
----
FROM example
RUN --mount=type=secret,id=build_secret ./installer.sh
----

For runtime secrets, leave the environment variables empty until runtime:

[source,docker]
----
FROM example
ENV ACCESS_TOKEN=""
CMD /run.sh
----

Store the runtime secrets in an https://docs.docker.com/compose/env-file/[environment file] (such as `.env`) and then start the container with the https://docs.docker.com/engine/reference/commandline/run/#set-environment-variables--e---env---env-file[`--env-file`] argument:

[source,text]
----
docker run --env-file .env myImage
----

include::../see.adoc[]

include::../implementation.adoc[]
Create rule S6472: Using ENV to handle secrets is security-sensitive (#1399) 2022-11-25 15:26:31 +01:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`[source,docker]`
			`----`
			`FROM example`
Modify Rule S6472: Add Docker (APPSEC-277) (#1569) 2023-02-14 10:43:24 +01:00			`# Sensitive`
Create rule S6472: Using ENV to handle secrets is security-sensitive (#1399) 2022-11-25 15:26:31 +01:00			`ARG ACCESS_TOKEN`
			`# Sensitive`
			`ENV ACCESS_TOKEN=${ACCESS_TOKEN}`
			`CMD /run.sh`
			`----`

			`== Compliant Solution`

Update code example to be more descriptive (#1493) 2023-01-06 16:27:12 +01:00			`For build time secrets, use https://docs.docker.com/engine/reference/builder/#run---mounttypesecret[Buildkit's secret mount type] instead:`
Create rule S6472: Using ENV to handle secrets is security-sensitive (#1399) 2022-11-25 15:26:31 +01:00			`[source,docker]`
			`----`
			`FROM example`
			`RUN --mount=type=secret,id=build_secret ./installer.sh`
			`----`

Update code example to be more descriptive (#1493) 2023-01-06 16:27:12 +01:00			`For runtime secrets, leave the environment variables empty until runtime:`
Create rule S6472: Using ENV to handle secrets is security-sensitive (#1399) 2022-11-25 15:26:31 +01:00
			`[source,docker]`
			`----`
			`FROM example`
			`ENV ACCESS_TOKEN=""`
			`CMD /run.sh`
			`----`

Update code example to be more descriptive (#1493) 2023-01-06 16:27:12 +01:00			Store the runtime secrets in an https://docs.docker.com/compose/env-file/[environment file] (such as `.env`) and then start the container with the https://docs.docker.com/engine/reference/commandline/run/#set-environment-variables--e---env---env-file[`--env-file`] argument:

Create rule S6472: Using ENV to handle secrets is security-sensitive (#1399) 2022-11-25 15:26:31 +01:00			`[source,text]`
			`----`
			`docker run --env-file .env myImage`
			`----`

			`include::../see.adoc[]`

Small fixes in Docker rules (#1802) Add RUN prefix in case of shell execution Improve code highlighting 2023-04-24 16:51:51 +02:00			`include::../implementation.adoc[]`