Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve suspicious env checks #5

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

tspearconquest
Copy link
Contributor

@tspearconquest tspearconquest commented Jun 22, 2022

The current check for secrets in the env commands of a Dockerfile can incorrectly flag trivially named variables used in certain image builds such as ENV CC="/usr/bin/clang" as potentially containing a secret.

This is due to the contains() function performing a substring comparison. The string "ACCESS_KEY" which is a member of the secrets_env array contains the string "CC" which causes Dockerfiles using this env variable to be flagged.

This PR improves the suspicious env check by running different checks of the env values and performing some basic parsing of the keys and values to look for anything suspicious while avoiding use of the contains() function

Signed-off-by: Thomas Spear tspear@conquestcyber.com

* This improves the suspicious env check by running several checks of the env values and performing some basic parsing of the keys and values to look for anything suspicious while avoiding false positives

Signed-off-by: Thomas Spear <tspear@conquestcyber.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant