Differences

This shows you the differences between two versions of the page.

--- docker:security:don_t_leak_sensitive_information_to_docker_images [2020/04/18 19:33] – created peter
+++ docker:security:don_t_leak_sensitive_information_to_docker_images [2020/07/15 09:30] (current) – external edit 127.0.0.1
@@ Line 8: / Line 8: @@
   * Use the Docker secrets feature to mount sensitive files without caching them (supported only from Docker 18.04).
   * Use a **.dockerignore** file to avoid a hazardous **COPY** instruction, which pulls in sensitive files that are part of the build context.
+Sometimes, when building an application inside a Docker image, you need secrets such as an SSH private key to pull code from a private repository, or you need tokens to install private packages.
+If you copy them into the Docker intermediate container they are cached on the layer to which they were added, even if you delete them later on.
+These tokens and keys must be kept outside of the **Dockerfile**.
+----
+===== Using Docker secret commands =====
+Use an alpha feature in Docker for managing secrets to mount sensitive files without caching them, similar to the following:
+<file bash Dockerfile>
+# syntax = docker/dockerfile:1.0-experimental
+FROM alpine
+# shows secret from default secret location
+RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecre
+# shows secret from custom secret location
+RUN --mount=type=secret,id=mysecret,dst=/foobar cat /foobar
+</file>
+Read more about Docker secrets on their site.
+----
+===== Beware of recursive copy =====
+You should also be mindful when copying files into the image that is being built.
+For example, the following command copies the entire build context folder, recursively, to the Docker image, which could end up copying sensitive files as well:
+<code>
+COPY . .
+</code>
+If you have sensitive files in your folder, either remove them or use **.dockerignore** to ignore them:
+<code>
+private.key
+appsettings.json
+</code>