search

moby / buildkit

concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit
https://github.com/moby/moby/issues/34227
Apache License 2.0
8.24k stars 1.17k forks source link

Rule prediction case when name ends with "version" #5504

Open serious-angel opened 2 weeks ago

serious-angel commented 2 weeks ago

Dear Community and Developers,

Thank you for the ineffably marvelous project... :sparkles:

I am sorry, but just wanted to report a possible case for reconsideration of the current rule prediction algorithm.

For instance:

$ docker build --check .
[+] Building 1.2s (4/4) FINISHED                                                                                                                                                           docker:default
 => [internal] load build definition from Dockerfile                                                                                                                                                 0.0s
 => => transferring dockerfile: 7.38kB                                                                                                                                                               0.0s
 => [internal] load metadata for docker.io/library/nginx:1.25.4                                                                                                                                      1.1s
 => [auth] library/nginx:pull token for registry-1.docker.io                                                                                                                                         0.0s
 => [internal] load .dockerignore                                                                                                                                                                    0.0s
 => => transferring context: 2B                                                                                                                                                                      0.0s
Check complete, 1 warning has been found!

WARNING: SecretsUsedInArgOrEnv - https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
Do not use ARG or ENV instructions for sensitive data (ARG "AUTH_JWT_NGINX_MODULE_VERSION")
Dockerfile:125
--------------------
 123 |         make install;
 124 |     
 125 | >>> ARG AUTH_JWT_NGINX_MODULE_VERSION='2.0.3'
 126 |     
 127 |     RUN \
--------------------

The variable is supposed to contain a string of release version of Nginx module repository: https://github.com/TeslaGov/ngx-http-auth-jwt-module.

Yes, the variable name contains "auth" but it ends with "version". Therefore, what if the linter would skip variables that end/start with "version"?

Initially, I raised the issue at the following nice repository: https://github.com/btidor/syntax/issues/1

Best and kind regards 🪐

tonistiigi commented 2 weeks ago

@colinhemmings