0

Dockerfile

FROM

ENV username = xyz

ENV password = abc

I am passing the username and password inside ENV instruction and getting a vulnerability of exposing the sensitive env variables.

How can I mitigate this vulnerability. Is there any other possible way to pass these credentials. I am using jenkins to build the image but getting a vulnerability compliance in twistlock.

These credentials are also important and necessary.

Max
  • 6,821
  • 3
  • 43
  • 59
user14805338
  • 21
  • 1
  • 5
  • 2
    You usually check your Dockerfile into source control, and so you absolutely shouldn't be embedding credentials of any kind there. Also remember that anything that happens in the Dockerfile can generally be retrieved with `docker history`. Do you need the credentials at build time, or only when running the container? (If the latter, see [Docker and securing passwords](https://stackoverflow.com/questions/22651647/docker-and-securing-passwords/22652670#22652670).) – David Maze Dec 23 '20 at 14:38
  • 1
    You can leave ENV values nulls and pass them when running container. `docker run -e "username=foo" -e "password=bar"` – Max Dec 24 '20 at 14:06
  • Actually I need those credentials during the run time. And I am using jenkins to build the image and the image has to come clean from the twistlock stage. – user14805338 Dec 25 '20 at 11:11
  • So, the credentials cannot be passed within the running container as per the scenerio. Is there any possible way inside jenkins configuration I can pass those credentials instead of passing them in dockerfile? – user14805338 Dec 25 '20 at 11:17
  • is there a other possible way to pass those credentials at run-time because I am using jenkins job to build the images and then pushing it to j frog. From jfrog (after all the possible scans) it will be pulled by openshift or get deployed to helm. – user14805338 Dec 31 '20 at 05:12

0 Answers0