use Defang secret-detector to identify potential secret leaks before publishing OCI artifacts #12620
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ndeloof
reviewed
Mar 10, 2025
pkg/compose/publish.go
Outdated
| func (s *composeService) checkForSensitiveData(project *types.Project) ([]secrets.DetectedSecret, error) { | ||
| scan := scanner.NewDefaultScanner() | ||
|
|
||
| input, err := project.MarshalYAML() |
There was a problem hiding this comment.
you MUST check each individual file in the compose project, not just the final model. Otherwise I may publish:
compose.yaml
services:
test
some: MY_SECRET_PASSWORDcompose.yaml
services:
test
some: !override ${ENTER_YOUR_OWN_SECRET}Publisher expectation would be that secret is not exposed to consumer, but actually it is
glours
force-pushed
the
publish-detect-potential-secrets
branch
from
87dd505 to
ab424da
Compare
|
I had to load compose files without interpolation and env resolution, then marshall them back to yaml because |
glours
force-pushed
the
publish-detect-potential-secrets
branch
2 times, most recently
from
f14baa5 to
ec1b77e
Compare
…publishing OCI artifacts Signed-off-by: Guillaume Lours <705411+glours@users.noreply.github.com>
glours
force-pushed
the
publish-detect-potential-secrets
branch
from
ec1b77e to
70ad682
Compare
ndeloof
reviewed
Mar 11, 2025
| } | ||
|
|
||
| // Check configs defined by files | ||
| for _, config := range project.Configs { |
There was a problem hiding this comment.
AFAICT we do not publish the configs and secrets files (yet) as part of the publish command
ndeloof
approved these changes
Mar 11, 2025
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Mar 26, 2025
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [docker/compose](https://github.com/docker/compose) | minor | `v2.33.1` -> `v2.34.0` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>docker/compose (docker/compose)</summary> ### [`v2.34.0`](https://github.com/docker/compose/releases/tag/v2.34.0) [Compare Source](docker/compose@v2.33.1...v2.34.0) #### What's Changed ##### ✨ Improvements - Support refresh pull policy by [@​ndeloof](https://github.com/ndeloof) in docker/compose#12568 - Introduced `include` to filter files considered by `watch` by [@​ndeloof](https://github.com/ndeloof) in docker/compose#12584 - Introduced `--env-from-file` in `docker compose run` command by [@​ndeloof](https://github.com/ndeloof) in docker/compose#12626 - Make `publish` a regular command of Compose by [@​glours](https://github.com/glours) in docker/compose#12629 ##### 🐛 Fixes - Build: only print COMPOSE_BAKE recommendation when disabled by [@​emersion](https://github.com/emersion) in docker/compose#12572 - Improve message suggesting using bake by [@​glours](https://github.com/glours) in docker/compose#12612 - Fixed service: reference in additional_contexts for builds without bake by [@​ndeloof](https://github.com/ndeloof) in docker/compose#12582 - Block the publication of an OCI artifact if one or more services contain only a build section by [@​glours](https://github.com/glours) in docker/compose#12597 - Display the location of OCI or GIT Compose stack download by [@​glours](https://github.com/glours) in docker/compose#12595 - Refuse to publish compose file with local include by [@​ndeloof](https://github.com/ndeloof) in docker/compose#12600 - `publish`reject compose file with bind mounts by [@​ndeloof](https://github.com/ndeloof) in docker/compose#12601 - Display interpolation variables and their values when running a remote stack by [@​glours](https://github.com/glours) in docker/compose#12604 - Publish compose file with required siblings used by `extends` by [@​ndeloof](https://github.com/ndeloof) in docker/compose#12606 - Add warning message when a remote configuration include an another remote config by [@​glours](https://github.com/glours) in docker/compose#12610 - Only load env_file after services have been selected by [@​ndeloof](https://github.com/ndeloof) in docker/compose#12611 - Deprecate --y, prefer --yes by [@​ndeloof](https://github.com/ndeloof) in docker/compose#12623 - Use Defang secret-detector to identify potential secret leaks before publishing OCI artifacts by [@​glours](https://github.com/glours) in docker/compose#12620 ##### 🔧 Internal - Link to configuration file docs by [@​andrew-kramer](https://github.com/andrew-kramer) in docker/compose#12559 - Otel attribute to track builder implementation selected by [@​ndeloof](https://github.com/ndeloof) in docker/compose#12586 - Test version command by [@​maxproske](https://github.com/maxproske) in docker/compose#12576 - Implement extends.file replace without yqlib by [@​ndeloof](https://github.com/ndeloof) in docker/compose#12615 - Add `cli.isatty` attribute to spans generated by compose by [@​landism](https://github.com/landism) in docker/compose#12630 - Condense output of `compose top` by [@​dmke](https://github.com/dmke) in docker/compose#12628 ##### ⚙️ Dependencies - Require go `1.23`|`1.24` (stable) by [@​ndeloof](https://github.com/ndeloof) in docker/compose#12571 - Build(deps): bump tags.cncf.io/container-device-interface from 0.8.0 to 0.8.1 by [@​dependabot](https://github.com/dependabot) in docker/compose#12583 - Build(deps): bump github.com/google/go-cmp from `0.6.0` to `0.7.0` by [@​dependabot](https://github.com/dependabot) in docker/compose#12578 - Build(deps): bump github.com/docker/cli from `28.0.0+incompatible` to `28.0.1+incompatible` by [@​dependabot](https://github.com/dependabot) in docker/compose#12590 - Build(deps): bump github.com/docker/docker from `28.0.0+incompatible` to `28.0.1+incompatible` by [@​dependabot](https://github.com/dependabot) in docker/compose#12591 - Build(deps): bump github.com/docker/buildx from `0.21.1` to `0.21.2` by [@​dependabot](https://github.com/dependabot) in docker/compose#12598 - Build(deps): bump github.com/opencontainers/image-spec from `1.1.0` to `1.1.1` by [@​dependabot](https://github.com/dependabot) in docker/compose#12599 - Build(deps): bump golang.org/x/sync from `0.11.0` to `0.12.0` by [@​dependabot](https://github.com/dependabot) in docker/compose#12607 - Build(deps): bump google.golang.org/grpc from `1.70.0` to `1.71.0` by [@​dependabot](https://github.com/dependabot) in docker/compose#12603 - Build(deps): bump golang.org/x/sys from `0.30.0` to `0.31.0` by [@​dependabot](https://github.com/dependabot) in docker/compose#12608 - Build(deps): bump github.com/moby/buildkit from `0.20.0` to `0.20.1` by [@​dependabot](https://github.com/dependabot) in docker/compose#12609 - Build(deps): bump tags.cncf.io/container-device-interface from `0.8.1` to `1.0.0` by [@​dependabot](https://github.com/dependabot) in docker/compose#12617 - Bump compose-go to version `v2.4.9` by [@​glours](https://github.com/glours) in docker/compose#12633 #### New Contributors - [@​emersion](https://github.com/emersion) made their first contribution in docker/compose#12572 - [@​andrew-kramer](https://github.com/andrew-kramer) made their first contribution in docker/compose#12559 - [@​landism](https://github.com/landism) made their first contribution in docker/compose#12630 - [@​dmke](https://github.com/dmke) made their first contribution in docker/compose#12628 **Full Changelog**: docker/compose@v2.33.1...v2.34.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMTMuNSIsInVwZGF0ZWRJblZlciI6IjM5LjIxMy41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What I did
Use Defang Labs
secret-detectorlibrary to detect potential secret leaks before publishing OCI artifacts and ask user if they really want to publish their Compose stacks with those dataRelated issue
https://docker.atlassian.net/browse/APCLI-876
(not mandatory) A picture of a cute animal, if possible in relation to what you did
