diff --git a/rules/S6581/docker/rule.adoc b/rules/S6581/docker/rule.adoc index 76bda6781b4..d0a8175cc7a 100644 --- a/rules/S6581/docker/rule.adoc +++ b/rules/S6581/docker/rule.adoc @@ -1,5 +1,6 @@ -Setting the environment variable using the `ENV` instruction creates a new layer in the Docker image. -Calling `RUN unset ` creates a new layer, but the environment variable can be still dumped from the previous layer. +Setting an environment variable using the `ENV` instruction creates a new layer in the Docker image. The variable is then persisted for all subsequent build stages +and is also present in the resulting image. +Calling `RUN unset ` unsets the variable only for this particular layer, but it is still possible to dump the environment variable from the previous layer. == Why is this an issue? @@ -9,7 +10,7 @@ Calling `unset` doesn't prevent this information from being hidden for other com == How to fix it -To prevent runtime access, the environment variable can be set and unset in a single `RUN` instruction. +If an environment variable is needed only during build, this variable should be set and unset in a single `RUN` instruction. === Code examples @@ -33,8 +34,8 @@ RUN export ADMIN_USER="admin" \ === How does this work? In this example, the visibility of `ADMIN_USER` is only limited to the single layer. -However, the value can still be extracted from the image. -The best solution is to use `ARG` instead. +However, it is still possible to extract the value from the image. +The best solution is to use `ARG` instead of `ENV` or set and unset the variable in the same `RUN` instruction. == Resources === Documentation @@ -49,7 +50,7 @@ ifdef::env-github,rspecator-view[] === Message -Use the ARG instruction or set & unset environment variable in a single layer. +Use the ARG instruction or set and unset the environment variable in a single layer. === Highlighting