Add misconfiguration for mounting in secret in during build: https://docs.docker.com/engine/reference/commandline/buildx_build/

Question

Add misconfiguration for mounting in secret in during build: https://docs.docker.com/engine/reference/commandline/buildx_build/

commjoen opened this issue a year ago · 0 comments

This challenge is about using docker secrets from docker buildx buildpacks:

Use the --secret, but then with a hardcoded value referenced in the shell script to publish the docker container and explain that using --secret is a good idea, but not with a hardcoded call in a git-comitted buildscript.

Todo:

Embed the secret variable in https://github.com/OWASP/wrongsecrets/blob/master/.github/scripts/docker-create.sh and make sure it lands in a file in the docker container
create a challenge that reads the secret from that file and teaches why this is a bad idea (See contributing.md)