Class: Rules::DockerBuildArgSecrets

Inherits:

Base

Object
Base
Rules::DockerBuildArgSecrets

show all

Defined in:: lib/rules/docker_build_arg_secrets.rb

Instance Method Summary collapse

#check(workflow) ⇒ Object
#description ⇒ Object
#name ⇒ Object
#severity ⇒ Object

Instance Method Details

#check(workflow) ⇒ `Object`

# File 'lib/rules/docker_build_arg_secrets.rb', line 7

def check(workflow)
    findings = []

    workflow.lines_of(/build-args:/).each do |line_num|
        (line_num..(line_num + 20)).each do |i|
            break if i > workflow.raw_lines.length
            line = workflow.line_content(i)
            break if line&.match?(/^\s*\w+:/) && !line.match?(/^\s+["']?[A-Z_]+=/)

            if line&.match?(/secrets\./)
                findings << finding(workflow,
                    line: i,
                    code: line.strip,
                    message: "Secret in Docker build-arg — extractable via docker history",
                    fix: "Use --secret flag or RUN --mount=type=secret instead of build-arg"
                )
            end
        end
    end

    findings
end

#description ⇒ `Object`

4	# File 'lib/rules/docker_build_arg_secrets.rb', line 4 def description = "Secrets passed as Docker build-args (visible in image layers)"

#name ⇒ `Object`

3	# File 'lib/rules/docker_build_arg_secrets.rb', line 3 def name = "docker-build-arg-secrets"

#severity ⇒ `Object`

5	# File 'lib/rules/docker_build_arg_secrets.rb', line 5 def severity = :high

Class: Rules::DockerBuildArgSecrets

Instance Method Summary collapse

Instance Method Details

#check(workflow) ⇒ Object

#description ⇒ Object

#name ⇒ Object

#severity ⇒ Object

#check(workflow) ⇒ `Object`

#description ⇒ `Object`

#name ⇒ `Object`

#severity ⇒ `Object`