Class: Rules::DockerBuildArgSecrets

Inherits:

Base

Object
Base
Rules::DockerBuildArgSecrets

show all

Defined in:: lib/rules/docker_build_arg_secrets.rb

Instance Method Summary collapse

#check(workflow) ⇒ Object
#description ⇒ Object
#name ⇒ Object
#severity ⇒ Object

Instance Method Details

#check(workflow) ⇒ `Object`

# File 'lib/rules/docker_build_arg_secrets.rb', line 7

def check(workflow)
  findings = []

  workflow.lines_of(/build-args:/).each do |line_num|
    (line_num..(line_num + 20)).each do |i|
      break if i > workflow.raw_lines.length
      line = workflow.line_content(i)
      break if line&.match?(/^\s*\w+:/) && !line.match?(/^\s+["']?[A-Z_]+=/)

      if line&.match?(/secrets\./)
        findings << finding(workflow,
          line: i,
          code: line.strip,
          message: "Secret in Docker build-arg — extractable via docker history",
          fix: "Use --secret flag or RUN --mount=type=secret instead of build-arg"
        )
      end
    end
  end

  findings
end

#description ⇒ `Object`

4	# File 'lib/rules/docker_build_arg_secrets.rb', line 4 def description = "Secrets passed as Docker build-args (visible in image layers)"

#name ⇒ `Object`

3	# File 'lib/rules/docker_build_arg_secrets.rb', line 3 def name = "docker-build-arg-secrets"

#severity ⇒ `Object`

5	# File 'lib/rules/docker_build_arg_secrets.rb', line 5 def severity = :high

Class: Rules::DockerBuildArgSecrets

Instance Method Summary collapse

Instance Method Details

#check(workflow) ⇒ Object

#description ⇒ Object

#name ⇒ Object

#severity ⇒ Object

#check(workflow) ⇒ `Object`

#description ⇒ `Object`

#name ⇒ `Object`

#severity ⇒ `Object`