This repository has been archived by the owner on Feb 23, 2024. It is now read-only.
ci: Replace docker build args with secret mounts #181
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
While analyzing the docker build process, I noticed a potential risky transfer of secrets in the docker build process.
The build-args of a docker build are persisted in the docker image history.
As of now, this is not a problem, as the mentioned image is using a multi-staged build and only the last image (parts after the last FROM statement) are persisted. But, if statements in the Dockerfile are rearranged or the DOWNLOAD_KEY variable is used somewhere in the last stage, it could be present in the docker image metadata and everyone could fetch them via checking the docker history output.
This was a common problem in lots of projects, but buildkit implemented a solution for that problem.
Instead of using build-args, buildkit offers dedicated secret mounts which we should incorporate instead.
https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/reference.md#run---mounttypesecret
I propose to switch to the secret mounts to avoid potential risks going forward, it should be implemented in the concourse since v0.10.0 (concourse/oci-build-task#88).