Feature Request: disable and reenable checks for multi-stage builds #2954
Comments
|
You can still set |
|
Hi, thanks for the workaround. But it will not help us unfortunately. Having lots of images with different number (and named steps) inside a global / generic build pipeline it is not possible to directly call specific targets to disable some checks. Its will not work to created image specific build pipelines just for the checks. Having said that it wold be really helpful to be able to enable/disable checks right before/after a |
Description
Hello,
having some basic checks for Dockerfiles is good and helps developers writing better Dockerfiles.
But for multi-stage builds it might be needed to disable some checks for one stage and (re)enable it for others.
Example:
We use multi-stage builds to not expose some secrets needed to access external systems needed to build an image (Maven/NPM/Python registry and so on). The first stage gets the secret and can access the private registry to download/build the software needed.
The second stage just gets the compiled app and does not have access to the build args of the first stage.
With current check implementation i can either have the "SecretsUsedInArgOrEnv" check enabled complaining about it in the first stage (= false positive) or can disable it and do not see if someone accidentally injects secrets into the second stage (=possible false negative).
Updating the checks to allow switching these on and off for every stage (optional) would help.
Other solution might be to disable checks for only the next line inside the Dockerfile (e.g. similar to //NOSONAR flag for Sonarqube) might be a possible solution too.
Thanks
The text was updated successfully, but these errors were encountered: