Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve suspicious env checks #5

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Improve suspicious env checks #5

wants to merge 1 commit into from

Conversation

tspearconquest
Copy link
Contributor

@tspearconquest tspearconquest commented Jun 22, 2022
edited
Loading

The current check for secrets in the env commands of a Dockerfile can incorrectly flag trivially named variables used in certain image builds such as ENV CC="/usr/bin/clang" as potentially containing a secret.

This is due to the contains() function performing a substring comparison. The string "ACCESS_KEY" which is a member of the secrets_env array contains the string "CC" which causes Dockerfiles using this env variable to be flagged.

This PR improves the suspicious env check by running different checks of the env values and performing some basic parsing of the keys and values to look for anything suspicious while avoiding use of the contains() function

Signed-off-by: Thomas Spear [email protected]

Improve suspicious env checks
6e9258c 
* This improves the suspicious env check by running several checks of the env values and performing some basic parsing of the keys and values to look for anything suspicious while avoiding false positives

Signed-off-by: Thomas Spear <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tspearconquest