Change text for docker

rules/S6437/docker/rule.adoc

@@ -1,36 +1,47 @@
-== Why is this an issue?
+include::../../../shared_content/secrets/description.adoc[]
 
-Sensitive data has been found in the Dockerfile or Docker image. The data
-should be considered breached.
+== Why is this an issue?
 
-If malicious third parties can get a hold of such information, they could
-impersonate legitimate identities within the organization. +
-It is a clear breach of trust in the system, as the systems involved falsely
-assume that the authenticated entity is who it claims to be. +
-The consequences can be catastrophic.
+include::../../../shared_content/secrets/rationale.adoc[]
 
-In Dockerfiles, secrets hard-coded, secrets passed through as variables or
+In Dockerfiles, hard-coded secrets and secrets passed through as variables or
 created at build-time will cause security risks. The secret information can be
-exposed either via the container environment itself, the image metadata or the
-build environment logs.
+exposed either via the container environment, the image metadata, or the build
+environment logs.
 
-Docker Buildkit's secret mount options should be used when secrets have to be
-accessed at build time. For run-time secrets, best practices would recommend
-only setting them at runtime, for example with the `--env` option of the docker
-run command.
+=== What is the potential impact?
 
-Note that files exposing the secrets should be securely stored and not exposed
-to a large sphere. If possible, use a secret vault or another similar
-component. For example, *Docker Swarm* provides a *secrets* service that can be
-used to handle most confidential data.
+include::../common/impact/rationale.adoc[]
 
+include::../../../shared_content/secrets/impact/financial_loss.adoc[]
 
-=== Noncompliant code example
+include::../../../shared_content/secrets/impact/security_downgrade.adoc[]
+
+== How to fix it
+
+Best practices recommend using a secret vault for all secrets that must be
+accessed at container runtime. This will ensure the secret's security and
+prevent any further unexpected disclosure. Depending on the development platform
+and the leaked secret type, multiple solutions are currently available.
+
+For all secrets that must be accessed at image build time, it is recommended to
+rely on Docker Buildkit's secret mount options. This will prevent secrets from
+being disclosed in image's metadata and build logs.
+
+Additionally, investigations and remediation actions should be conducted to
+ensure the current and future security of the infrastructure.
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
 
-The following code snippet demonstrates the creation of a file with a private
-key and a public key, which are then stored in the metadata of the container. +
-This is non-compliant, as the private key should not be exposed anywhere.
+include::../../../shared_content/secrets/fix/recent_use.adoc[]
 
+=== Code examples
+
+=== Noncompliant code example
+
+The following code sample generates a new SSH private key that will be stored in
+the generated image. This key should be considered as compromised. Moreover, the
+SSH key encryption passphrase is also hardcoded.
 
 [source,docker, diff-id=1, diff-type=noncompliant]
 ----
@@ -42,8 +53,8 @@ RUN ssh-keygen -N "passphrase" -t rsa -b 2048 -f /etc/ssh/rsa_key
 RUN /example.sh --ssh /etc/ssh/rsa_key
 ----
 
-In the following sample, the code uses a seemingly-hidden password which is
-actually leaked after the container is built.
+The following code sample uses a seemingly hidden password which is actually
+leaked in the image metadata after the build.
 
 [source,docker, diff-id=2, diff-type=noncompliant]
 ----
@@ -56,27 +67,23 @@ RUN wget --user=guest --password="$PASSWORD" https://example.com
 
 === Compliant solution
 
-For build-time secrets, use
-https://docs.docker.com/engine/reference/builder/#run---mounttypesecret[Buildkit's secret mount type] instead:
-
-[source,docker, diff-id=1, diff-type=compliant]
+[source,docker,diff-id=1,diff-type=compliant]
 ----
 FROM example
 
 RUN --mount=type=secret,id=ssh,target=/etc/ssh/rsa_key \
     /example.sh --ssh /etc/ssh/rsa_key
 ----
 
-[source,docker, diff-id=2, diff-type=compliant]
+[source,docker,diff-id=2,diff-type=compliant]
 ----
 FROM example
 
-RUN --mount=type=secret,id=wget_passwd \
-    wget --user=guest --password="$(cat /run/secrets/wget_passwd)" https://example.com
+RUN --mount=type=secret,id=wget,target=/home/user/.wgetrc \
+    wget --user=guest https://example.com
 ----
 
-For runtime secrets, leave the environment variables empty in the Dockerfile.
-Then store the runtime secrets in an
+For runtime secrets, store the runtime secrets in an
 https://docs.docker.com/compose/env-file/[environment file] such as `.env` and
 then start the container with the
 https://docs.docker.com/engine/reference/commandline/run/#set-environment-variables--e---env---env-file[`--env-file`] argument:
@@ -88,11 +95,15 @@ docker run --env-file .env myImage
 
 == Resources
 
-* https://docs.docker.com/engine/reference/builder/#run---mounttypesecret[Dockerfile reference] - RUN command secrets mount points
-* https://docs.docker.com/engine/swarm/secrets/[Docker documentation] - Manage sensitive data with Docker secrets
-* https://cwe.mitre.org/data/definitions/522.html[MITRE, CWE-522] - Insufficiently Protected Credentials
-* https://cwe.mitre.org/data/definitions/798.html[MITRE, CWE-798] - Use of Hard-coded Credentials
+include::../common/resources/documentation.adoc[]
 
+* Docker Documentation - https://docs.docker.com/engine/swarm/secrets/[Manage sensitive data with Docker secrets]
+* Docker Documentation - https://docs.docker.com/engine/reference/builder/#run---mounttypesecret[RUN command secrets mount points]
+
+=== Standards
+
+* CWE - https://cwe.mitre.org/data/definitions/522.html[CWE-522 - Insufficiently Protected Credentials]
+* CWE - https://cwe.mitre.org/data/definitions/798.html[CWE-798 - Use of Hard-coded Credentials]
 
 ifdef::env-github,rspecator-view[]
 '''
@@ -115,5 +126,3 @@ For secret generation:
 
 '''
 endif::env-github,rspecator-view[]
-
-