docker:security:don_t_leak_sensitive_information_to_docker_images
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| docker:security:don_t_leak_sensitive_information_to_docker_images [2020/04/18 20:00] – peter | docker:security:don_t_leak_sensitive_information_to_docker_images [2020/07/15 09:30] (current) – external edit 127.0.0.1 | ||
|---|---|---|---|
| Line 15: | Line 15: | ||
| These tokens and keys must be kept outside of the **Dockerfile**. | These tokens and keys must be kept outside of the **Dockerfile**. | ||
| + | |||
| + | ---- | ||
| + | |||
| + | ===== Using Docker secret commands ===== | ||
| + | |||
| + | Use an alpha feature in Docker for managing secrets to mount sensitive files without caching them, similar to the following: | ||
| + | |||
| + | <file bash Dockerfile> | ||
| + | # syntax = docker/ | ||
| + | FROM alpine | ||
| + | |||
| + | # shows secret from default secret location | ||
| + | RUN --mount=type=secret, | ||
| + | |||
| + | # shows secret from custom secret location | ||
| + | RUN --mount=type=secret, | ||
| + | </ | ||
| + | |||
| + | Read more about Docker secrets on their site. | ||
| + | |||
| + | ---- | ||
| + | |||
| + | ===== Beware of recursive copy ===== | ||
| + | |||
| + | You should also be mindful when copying files into the image that is being built. | ||
| + | |||
| + | For example, the following command copies the entire build context folder, recursively, | ||
| + | |||
| + | < | ||
| + | COPY . . | ||
| + | </ | ||
| + | |||
| + | If you have sensitive files in your folder, either remove them or use **.dockerignore** to ignore them: | ||
| + | |||
| + | < | ||
| + | private.key | ||
| + | appsettings.json | ||
| + | </ | ||
| + | |||
docker/security/don_t_leak_sensitive_information_to_docker_images.1587240057.txt.gz · Last modified: 2020/07/15 09:30 (external edit)