acr-builder icon indicating copy to clipboard operation
acr-builder copied to clipboard
verified publisher icon Azure

Secrets exposed when using --secretBuildArgs

Open blueboxes opened this issue 2 years ago • 1 comments

There does not seem to be documentation on how to consume the values from --secretBuildArgs in your docker script.

If I look at the code, it seems to map to docker build args:

https://github.com/Azure/acr-builder/blob/main/cmd/acb/commands/build/build.go#L302

This is odd as the docker documentation says never to use build args for secrets as they are stored in the logs.

https://docs.docker.com/engine/reference/builder/#arg

After testing I have seen the secrets shown in the Logs in the Azure portal. These are secrets that viewers of the logs should not see. This came up as I used a { character in the secret value and that broke the script.

blueboxes avatar Jul 03 '23 13:07 blueboxes

You're correct that the --secret-build-arg is simply passed to --build-arg of the Docker build command. The distinction pertains to the visibility of data in the ACR backend.

To mitigate the risk of potential leaks through Docker history, consider creating a YAML context and utilizing BuildKit's secret and volume mount features instead. Please refer to ACR Tasks reference: YAML, and also ACR Tasks samples.

yuehaoliang avatar Feb 01 '24 09:02 yuehaoliang