-
Notifications
You must be signed in to change notification settings - Fork 572
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential security issue #53
Comments
We are looking into the best way to handle these credentials, thanks for the report. The file will indeed be available later, unless you logout or remove it. |
Hi @simbamarufu1, This will be fixed through build-push-action v2 (#92) and more precisely the login-action if you want to try it. |
Version 2 has been merged to the main branch and is therefore available via As a reminder, this new version changes drastically and works with 3 new actions (login, setup-buildx and setup-qemu) that we have created. Many usage examples have been added to handle most use cases. And it should fix this current issue. Don't hesitate if you have any questions. |
I'm sorry to bring the bad news, but I'd say that this issue was not fixed. It seems that the warning message is hidden from the users, which is misleading as it provides a false feeling of security. As seen in https://github.com/docker/login-action/blob/adb73476b6e06caddec5db0bc1deacbec8cdd947/src/docker.ts#L36, on success stderr is not shown. The warning is precisely shown when the login is successful but insecure. See https://github.com/eine/login-action/commits/master and https://github.com/eine/login-action/runs/1354438643?check_suite_focus=true#step:3:8. @crazy-max, can you please reopen this issue? |
When using this action, the following warning is displayed and it states that secrets are visible inside the container in plaintext in
/github/home/.docker/config.json
. I am aware that action containers are ephemeral, but isn't this file accessible to subsequent executed actions?15 Logging in to registry 16 WARNING! Using --password via the CLI is insecure. Use --password-stdin. 17 WARNING! Your password will be stored unencrypted in /github/home/.docker/config.json. 18 Configure a credential helper to remove this warning. See 19 https://docs.docker.com/engine/reference/commandline/login/#credentials-store
The text was updated successfully, but these errors were encountered: