Add misconfiguration for mounting in secret in during build: https://docs.docker.com/engine/reference/commandline/buildx_build/
commjoen opened this issue · 0 comments
commjoen commented
This challenge is about using docker secrets from docker buildx buildpacks:
Use the --secret, but then with a hardcoded value referenced in the shell script to publish the docker container and explain that using --secret is a good idea, but not with a hardcoded call in a git-comitted buildscript.
Todo:
- Embed the secret variable in https://github.com/OWASP/wrongsecrets/blob/master/.github/scripts/docker-create.sh and make sure it lands in a file in the docker container
- create a challenge that reads the secret from that file and teaches why this is a bad idea (See contributing.md)