Why is this an issue?
Docker offers a feature to mount files and directories for specific RUN instructions when building Docker images. This feature can be
used to provide secrets to the commands that are executed during the build without baking them into the image. Additionally, it can be used to access
SSH agents during the build.
By using the mode option the permissions of the secrets or agents can be modified. By default, access is limited to the root user.
When such secrets are exposed with lax permissions, they might get compromised during the image build process. A successful compromise can only
happen during the execution of the command the mount option has been added to. While this might seem like a very hard exploitation
requirement, supply chain attacks, and other related threats, should still be considered.
If you are executing a command as a low-privileged user and need to access secrets or agents, you can use the options uid and
gid to provide access without having to resort to world-readable or writable permissions that might expose them to unintended
parties.
Noncompliant code example
RUN --mount=type=secret,id=build_secret,mode=0777 ./installer.sh # Noncompliant
Compliant solution
RUN --mount=type=secret,id=build_secret,uid=1000 ./installer.sh
Resources
