Docker offers a feature to mount files and directories for specific RUN instructions when building Docker images. This feature can be used to provide secrets to the commands that are executed during the build without baking them into the image. Additionally, it can be used to access SSH agents during the build.

By using the mode option the permissions of the secrets or agents can be modified. By default, access is limited to the root user.

When such secrets are exposed with lax permissions, they might get compromised during the image build process. A successful compromise can only happen during the execution of the command the mount option has been added to. While this might seem like a very hard exploitation requirement, supply chain attacks, and other related threats, should still be considered.

If you are executing a command as a low-privileged user and need to access secrets or agents, you can use the options uid and gid to provide access without having to resort to world-readable or writable permissions that might expose them to unintended parties.

Noncompliant Code Example

RUN --mount=type=secret,id=build_secret,mode=0777 ./installer.sh # Noncompliant

Compliant Solution

RUN --mount=type=secret,id=build_secret,uid=1000 ./installer.sh

See

• MITRE, CWE-732 - Incorrect Permission Assignment for Critical Resource
• Dockerfile reference - RUN --mount