[Important] Limit secret access to plugins only

[6543]

similar to the images filter for secrets, add a checkbox to only inject secret if step is exec as plugin.

this ensure only the intended entry-point do get the secrets to handle.

this does help if a plugin is not based from scratch image but do contain an shell that could be used.

---

bounty: 50$

[anbraten]

I don't see how this could protect secrets? You could just create a plugin (normal docker image) that leaks the secrets, couldn't you?

[lafriks]

this could be helpful in combination with trusted images ex. currently setting trusted image woodpeckerci/plugin-git you can still use:

image: woodpeckerci/plugin-git
commands:
  - echo ${SECRET}

adding such option would prevent that

[6543]

image: woodpeckerci/plugin-git
commands:
  - echo ${SECRET} | base58

-> it's a trusted image -> secret is leaked (you just have to decode it again)

I dont like to go more into details what else you could do ... - but It's a open risk (if repo is not gated)!

[6543]

bounty: 50$