You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add a repository setting to enable per-repository caching for docker images instead of the default global one. Make new repositories to use the per-repository caching as it's safer from security perspective.
Context
Right now Dockerfile as a CI environment is cached globally. Because of #273 it is possible to inject malicious scripts, then remove it so a PR will look harmless but the cached image will still contain the malicious code. It's documented in #760.
#273 and #692 can help to lower the risk but they won't completely mitigate the potential vector of attack.
The text was updated successfully, but these errors were encountered:
While building the image we've added --cache-from flag to use the legacy globally cached image if any. This should minimize the disturbance of the change by making the rebuilt just copy over the legacy image to the new location.
Description
Add a repository setting to enable per-repository caching for docker images instead of the default global one. Make new repositories to use the per-repository caching as it's safer from security perspective.
Context
Right now Dockerfile as a CI environment is cached globally. Because of #273 it is possible to inject malicious scripts, then remove it so a PR will look harmless but the cached image will still contain the malicious code. It's documented in #760.
#273 and #692 can help to lower the risk but they won't completely mitigate the potential vector of attack.
The text was updated successfully, but these errors were encountered: