Skip to content

Commit 390611d

Browse files
daghackdaghack
committed
Generate dockerfile documentation after updating SecretsUsedInArgOrEnv rule description
Signed-off-by: Talon Bowler <[email protected]>
1 parent 20224f5 commit 390611d

File tree

3 files changed

+13
-9
lines changed

3 files changed

+13
-9
lines changed

frontend/dockerfile/docs/rules/_index.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -86,7 +86,7 @@ $ docker build --check .
8686
</tr>
8787
<tr>
8888
<td><a href="./secrets-used-in-arg-or-env/">SecretsUsedInArgOrEnv</a></td>
89-
<td>Potentially sensitive data should not be used in the ARG or ENV commands</td>
89+
<td>Sensitive data should not be used in the ARG or ENV commands</td>
9090
</tr>
9191
</tbody>
9292
</table>

frontend/dockerfile/docs/rules/secrets-used-in-arg-or-env.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
---
22
title: SecretsUsedInArgOrEnv
3-
description: Potentially sensitive data should not be used in the ARG or ENV commands
3+
description: Sensitive data should not be used in the ARG or ENV commands
44
aliases:
55
- /go/dockerfile/rule/secrets-used-in-arg-or-env/
66
---

frontend/dockerfile/linter/docs/SecretsUsedInArgOrEnv.md

Lines changed: 11 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -6,13 +6,17 @@ Potentially sensitive data should not be used in the ARG or ENV commands
66

77
## Description
88

9-
While it is common in many local development setups to pass secrets to running
10-
processes through environment variables, setting these within a Dockerfile via
11-
the `ENV` command means that these secrets will be committed to the build
12-
history of the resulting image, exposing the secret. For the same reasons,
13-
passing secrets in as build arguments, via the `ARG` command, will similarly
14-
expose the secret. This rule reports violations where `ENV` and `ARG` key names
15-
appear to be secret-related.
9+
While it is common to pass secrets to running processes
10+
through environment variables during local development,
11+
setting secrets in a Dockerfile using `ENV` or `ARG`
12+
is insecure because they persist in the final image.
13+
This rule reports violations where `ENV` and `ARG` keys
14+
indicate that they contain sensitive data.
15+
16+
Instead of `ARG` or `ENV`, you should use secret mounts,
17+
which expose secrets to your builds in a secure manner,
18+
and do not persist in the final image or its metadata.
19+
See [Build secrets](https://docs.docker.com/build/building/secrets/).
1620

1721
## Examples
1822

0 commit comments

Comments
 (0)