roadmap
roadmap copied to clipboard
docker
Use a Secret in Docker Hub Webhooks for Caller validation.
Tell us about your request Secure Docker Hub Webhooks
Which service(s) is this request for? Docker Hub
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? We would like to use Webhooks to provide ready to deploy functions for Docker Hub workflow automation for the community, but we need Hub Webhooks to use some kind of security encryption using a secret so that the caller (ie: Docker Hub) can be validated. Open to any of these: Bearer Token HAMC-SH1 HMAC-SH256 Content Type: application/json Here is how GitHub does it: https://developer.github.com/webhooks/creating/?Secret#secret
see also this issue: https://github.com/docker/hub-feedback/issues/1161
Are you currently working around the issue? No. The workaround would open a pretty large security hole in our Webhook implementation.
Additional context Again we want to build publicly available workflow and life cycle automation functions for Docker Hub community using Docker Hub webhooks as the trigger for those automations, but we have to make sure it can be done in a secure manner.
@mghazizadeh Please follow the issue template for creating new issues here. It helps us to parse through information quicker if all of our issues are formatted in a similar way.
@digvan please use reactions on the original issue comment. This helps us to track community response to various issues without cluttering an issue with lots of +1 comments.
@mghazizadeh Thanks for submitting this issue - we'll investigate with the team!
Does the community have a preference on the particular security mechanism?
@pkennedyr The way GitHub is securing the webhook is a good starting point. You can check this link for more information. https://developer.github.com/webhooks/securing/
Here is also Stripe implementation (which is more secure). https://stripe.com/docs/webhooks/signatures
+1, Any update on this ? Github/Gitlab/Bitbucket all provide support for webhook secret auth.
Sorry I'm saying this but it's 3 years and still no response on this important feature. What I can say just remove this feature of webhook because it's useless until we are not able to verify a request coming from docker hub or someone just want my server to go down by sending multiple requests
How can such important company forget about such important feature for so many years. When buying DockerHub I thought ci/cd automation will be a piece of cake but no sane techie will allow unauthorized calls to run deploy automation. A workaround through GitHub's workflows after image push is a best option by now but WHY?
Solution ideas:
- Host endpoint with current IP ranges, like GitHub and many other do.
- Add secret key to webhooks (even an auto-generated one if y'all too busy)
I think @nebuk89 is the right person to actually take on implementing this feature.
I want this feature too :cake: :c. Something basic would be enought for me.
I cannot believe i'm here asking about this feature, we are not talking about some random flask server dude over internet here, we are talking about freaking Dockerhub, and basically not a single mechanism to ensure webhooks come from them, worst not even some IP address to lock security groups on??? Seriously, WTF!!!
