Don’t leak your Docker image’s build secrets
In January 2021 CodeCov suffered from a security breach.
The mechanism:
The [malicious] actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script.
It’s unclear from the description what specific kind of secret was involved, but as you can see leaking secrets can be a significant problem.
You want to ensure your secrets don’t end up getting leaked in your image!
In this article I’m specifically going to focus on the security of build secrets.
Building a Docker image often involves installing packages or downloading code, and if you’re installing private code you often need to gain access with a secret: a password, a private key,