Skip to content

Commit 20224f5

Browse files
daghackdaghack
committed
update format string for SecretsUsedInArgOrEnv rule check
Signed-off-by: Talon Bowler <[email protected]>
1 parent fabe0dc commit 20224f5

File tree

3 files changed

+23
-23
lines changed

3 files changed

+23
-23
lines changed

frontend/dockerfile/dockerfile2llb/convert.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1128,7 +1128,7 @@ func dispatchEnv(d *dispatchState, c *instructions.EnvCommand, lint *linter.Lint
11281128
msg := linter.RuleLegacyKeyValueFormat.Format(c.Name())
11291129
lint.Run(&linter.RuleLegacyKeyValueFormat, c.Location(), msg)
11301130
}
1131-
validateNoSecretKey(e.Key, c.Location(), lint)
1131+
validateNoSecretKey("ENV", e.Key, c.Location(), lint)
11321132
commitMessage.WriteString(" " + e.String())
11331133
d.state = d.state.AddEnv(e.Key, e.Value)
11341134
d.image.Config.Env = addEnv(d.image.Config.Env, e.Key, e.Value)
@@ -1707,7 +1707,7 @@ func dispatchShell(d *dispatchState, c *instructions.ShellCommand) error {
17071707
func dispatchArg(d *dispatchState, c *instructions.ArgCommand, opt *dispatchOpt) error {
17081708
commitStrs := make([]string, 0, len(c.Args))
17091709
for _, arg := range c.Args {
1710-
validateNoSecretKey(arg.Key, c.Location(), opt.lint)
1710+
validateNoSecretKey("ARG", arg.Key, c.Location(), opt.lint)
17111711
_, hasValue := opt.buildArgValues[arg.Key]
17121712
hasDefault := arg.Value != nil
17131713

@@ -2375,10 +2375,10 @@ func getSecretsRegex() *regexp.Regexp {
23752375
return secretsRegexp
23762376
}
23772377

2378-
func validateNoSecretKey(key string, location []parser.Range, lint *linter.Linter) {
2378+
func validateNoSecretKey(instruction, key string, location []parser.Range, lint *linter.Linter) {
23792379
pattern := getSecretsRegex()
23802380
if pattern.MatchString(key) {
2381-
msg := linter.RuleSecretsUsedInArgOrEnv.Format(key)
2381+
msg := linter.RuleSecretsUsedInArgOrEnv.Format(instruction, key)
23822382
lint.Run(&linter.RuleSecretsUsedInArgOrEnv, location, msg)
23832383
}
23842384
}

frontend/dockerfile/dockerfile_lint_test.go

Lines changed: 16 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -59,64 +59,64 @@ ENV git_key=
5959
Warnings: []expectedLintWarning{
6060
{
6161
RuleName: "SecretsUsedInArgOrEnv",
62-
Description: "Potentially sensitive data should not be used in the ARG or ENV commands",
63-
Detail: `Secrets should not be used in the ARG or ENV commands (key named "SECRET_PASSPHRASE")`,
62+
Description: "Sensitive data should not be used in the ARG or ENV commands",
63+
Detail: `Do not use ARG or ENV instructions for sensitive data (ARG "SECRET_PASSPHRASE")`,
6464
URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
6565
Level: 1,
6666
Line: 3,
6767
},
6868
{
6969
RuleName: "SecretsUsedInArgOrEnv",
70-
Description: "Potentially sensitive data should not be used in the ARG or ENV commands",
71-
Detail: `Secrets should not be used in the ARG or ENV commands (key named "SUPER_Secret")`,
70+
Description: "Sensitive data should not be used in the ARG or ENV commands",
71+
Detail: `Do not use ARG or ENV instructions for sensitive data (ENV "SUPER_Secret")`,
7272
URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
7373
Level: 1,
7474
Line: 4,
7575
},
7676
{
7777
RuleName: "SecretsUsedInArgOrEnv",
78-
Description: "Potentially sensitive data should not be used in the ARG or ENV commands",
79-
Detail: `Secrets should not be used in the ARG or ENV commands (key named "password")`,
78+
Description: "Sensitive data should not be used in the ARG or ENV commands",
79+
Detail: `Do not use ARG or ENV instructions for sensitive data (ENV "password")`,
8080
URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
8181
Level: 1,
8282
Line: 5,
8383
},
8484
{
8585
RuleName: "SecretsUsedInArgOrEnv",
86-
Description: "Potentially sensitive data should not be used in the ARG or ENV commands",
87-
Detail: `Secrets should not be used in the ARG or ENV commands (key named "secret")`,
86+
Description: "Sensitive data should not be used in the ARG or ENV commands",
87+
Detail: `Do not use ARG or ENV instructions for sensitive data (ENV "secret")`,
8888
URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
8989
Level: 1,
9090
Line: 5,
9191
},
9292
{
9393
RuleName: "SecretsUsedInArgOrEnv",
94-
Description: "Potentially sensitive data should not be used in the ARG or ENV commands",
95-
Detail: `Secrets should not be used in the ARG or ENV commands (key named "super_duper_secret_token")`,
94+
Description: "Sensitive data should not be used in the ARG or ENV commands",
95+
Detail: `Do not use ARG or ENV instructions for sensitive data (ARG "super_duper_secret_token")`,
9696
URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
9797
Level: 1,
9898
Line: 6,
9999
},
100100
{
101101
RuleName: "SecretsUsedInArgOrEnv",
102-
Description: "Potentially sensitive data should not be used in the ARG or ENV commands",
103-
Detail: `Secrets should not be used in the ARG or ENV commands (key named "auth")`,
102+
Description: "Sensitive data should not be used in the ARG or ENV commands",
103+
Detail: `Do not use ARG or ENV instructions for sensitive data (ARG "auth")`,
104104
URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
105105
Level: 1,
106106
Line: 6,
107107
},
108108
{
109109
RuleName: "SecretsUsedInArgOrEnv",
110-
Description: "Potentially sensitive data should not be used in the ARG or ENV commands",
111-
Detail: `Secrets should not be used in the ARG or ENV commands (key named "apikey")`,
110+
Description: "Sensitive data should not be used in the ARG or ENV commands",
111+
Detail: `Do not use ARG or ENV instructions for sensitive data (ENV "apikey")`,
112112
URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
113113
Level: 1,
114114
Line: 7,
115115
},
116116
{
117117
RuleName: "SecretsUsedInArgOrEnv",
118-
Description: "Potentially sensitive data should not be used in the ARG or ENV commands",
119-
Detail: `Secrets should not be used in the ARG or ENV commands (key named "git_key")`,
118+
Description: "Sensitive data should not be used in the ARG or ENV commands",
119+
Detail: `Do not use ARG or ENV instructions for sensitive data (ENV "git_key")`,
120120
URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
121121
Level: 1,
122122
Line: 8,

frontend/dockerfile/linter/ruleset.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -132,12 +132,12 @@ var (
132132
return fmt.Sprintf("Setting platform to predefined %s in FROM is redundant as this is the default behavior", platformVar)
133133
},
134134
}
135-
RuleSecretsUsedInArgOrEnv = LinterRule[func(string) string]{
135+
RuleSecretsUsedInArgOrEnv = LinterRule[func(string, string) string]{
136136
Name: "SecretsUsedInArgOrEnv",
137137
Description: "Sensitive data should not be used in the ARG or ENV commands",
138138
URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
139-
Format: func(secretKey string) string {
140-
return fmt.Sprintf("Secrets should not be used in the ARG or ENV commands (key named %q)", secretKey)
139+
Format: func(instruction, secretKey string) string {
140+
return fmt.Sprintf("Do not use ARG or ENV instructions for sensitive data (%s %q)", instruction, secretKey)
141141
},
142142
}
143143
)

0 commit comments

Comments
 (0)