dockle icon indicating copy to clipboard operation
dockle copied to clipboard

Published 20 hours ago verified publisher icon goodwithtech

Censor suspicious environment variables

Open hilariocoelho opened this issue 4 months ago • 0 comments

This pull request intends to censor suspicious found environment variables.

Previously any suspicious environment variable found was being leaked during CIS-DI-0010 checkpoint assessment as seen below:

FATAL   - CIS-DI-0010: Do not store credential in environment variables/files
        * Suspicious ENV key found : GITLAB_TOKEN on /bin/sh -c #(nop)  ENV GITLAB_TOKEN=y5V1xiW5eTwq34jasRqFBD (You can suppress it with --accept-key)

With this PR the same finding would be:

FATAL   - CIS-DI-0010: Do not store credential in environment variables/files
        * Suspicious ENV key found : GITLAB_TOKEN on /bin/sh -c #(nop)  ENV GITLAB_TOKEN=******* (You can suppress it with --accept-key)

Notice that the environment variable now isn't leaked on the output to stdout. This also applies to any other export format.

This is important since Dockle might inadvertently leak production (or other environment) credentials on a CI/CD pipeline

hilariocoelho avatar Oct 14 '24 21:10 hilariocoelho