Update frontend/dockerfile/docs/rules/secrets-used-in-arg-or-env.md

daghack · dvdksn · web-flow · commit ac1c2100a0b8 · 2024-07-03T09:18:09.000-07:00
Co-authored-by: David Karlsson &lt;35727626+dvdksn@users.noreply.github.com&gt;
Signed-off-by: Talon James Bowler &lt;nolat301@gmail.com&gt;
diff --git a/frontend/dockerfile/docs/rules/secrets-used-in-arg-or-env.md b/frontend/dockerfile/docs/rules/secrets-used-in-arg-or-env.md
@@ -13,13 +13,17 @@ Potentially sensitive data should not be used in the ARG or ENV commands
 
 ## Description
 
-While it is common in many local development setups to pass secrets to running
-processes through environment variables, setting these within a Dockerfile via
-the `ENV` command means that these secrets will be committed to the build
-history of the resulting image, exposing the secret. For the same reasons,
-passing secrets in as build arguments, via the `ARG` command, will similarly
-expose the secret. This rule reports violations where `ENV` and `ARG` key names
-appear to be secret-related.
+While it is common to pass secrets to running processes
+through environment variables during local development,
+setting secrets in a Dockerfile using `ENV` or `ARG`
+is insecure because they persist in the final image.
+This rule reports violations where `ENV` and `ARG` keys
+indicate that they contain sensitive data.
+
+Instead of `ARG` or `ENV`, you should use secret mounts,
+which expose secrets to your builds in a secure manner,
+and do not persist in the final image or its metadata.
+See [Build secrets](https://docs.docker.com/build/building/secrets/).
 
 ## Examples
 
