== Why is this an issue?

Docker offers a feature to mount files and directories for specific `RUN`
instructions when building Docker images. This feature can be used to provide
secrets to the commands that are executed during the build without baking them
into the image. Additionally, it can be used to access SSH agents during the
build.

By using the `mode` option the permissions of the secrets or agents can be
modified. By default, access is limited to the root user.

When such secrets are exposed with lax permissions, they might get compromised
during the image build process. A successful compromise can only happen during
the execution of the command the `mount` option has been added to. While this
might seem like a very hard exploitation requirement, supply chain attacks, and
other related threats, should still be considered.

If you are executing a command as a low-privileged user and need to access
secrets or agents, you can use the options `uid` and `gid` to provide access
without having to resort to world-readable or writable permissions that might
expose them to unintended parties.


=== Noncompliant code example

[source,docker]
----
RUN --mount=type=secret,id=build_secret,mode=0777 ./installer.sh # Noncompliant
----

=== Compliant solution

[source,docker]
----
RUN --mount=type=secret,id=build_secret,uid=1000 ./installer.sh
----

== Resources

* https://cwe.mitre.org/data/definitions/732[MITRE, CWE-732] - Incorrect Permission Assignment for Critical Resource
* https://docs.docker.com/engine/reference/builder/#run---mounttypesecret[Dockerfile reference] - RUN --mount


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

For secret:

 * Remove world permissions for this sensitive file.

For ssh:

 * Remove world permissions for this sensitive agent.



'''
endif::env-github,rspecator-view[]