CIS-DI-0010 Suspicious ENV key found

[zfLQ2qx2]

We recently updated from dockle 0.4.2 to 0.4.6 and started getting a lot of CIS-DI-0010 "Suspicious ENV key found" issues.

They are absolutely legitimate finds, if I do "docker history --no-trunc " I can see tokens passed in as ARGs embedded in the image. Hats off to Dockle for finding this before someone else did!

However what is not clear to me is how to remediate the issue. There wasn't anything in the Dockle wiki that spoke to this specifically and I didn't see where anyone else had asked in an issue. Could someone give me an idea what to do?

[PeterMosmans]

Hi @zfLQ2qx2 - do you mean how to suppress the warning, or how to mitigate the ENV findings?
For the former, you can use the --ignore CIS-DI-0010 prefix after the dockle command, before the name of the image.
For the latter, it's difficult to say without seeing the images, but it sounds like multi-stage builds would solve that issue, as the production-ready image can be rid of all 'build' artifacts.