Skip to main content
Enforces --mount=type=secret on RUN instructions that execute commands requiring access to secrets — private registry credentials, API keys, cloud provider tokens, and similar sensitive data.

Description

BuildKit secret mounts (--mount=type=secret) are the recommended way to pass sensitive data into build steps without baking it into the image layer. Without enforcement it is easy to forget the mount flag, causing builds to fail or — worse — fall back to unauthenticated access silently. This rule lets you declare which commands need which secrets and enforces the declaration at lint time. Secrets can be mounted as files (via target) or as environment variables (via env). The rule is disabled by default and requires explicit user configuration mapping command names to secret mount specifications.

Configuration

Map each command name to a secret mount specification: At least one of target or env must be set. Both can be used together — Docker supports mounting a secret as both a file and an environment variable simultaneously.

Examples

Private package registry (pip + AWS CodeArtifact)

Before:
After --fix:
Build command:

AWS CLI with credentials file

Before:
After --fix:

GitHub CLI with token via environment variable

Before:
After --fix:
Build command:

Existing mounts are preserved

If a RUN already has other mounts (e.g., cache mounts), the fix inserts secret mounts without touching the rest of the instruction:

Cross-Rule Interaction

This rule works alongside tally/prefer-package-cache-mounts. Both rules can fire on the same RUN instruction. Both use zero-length insertions right after RUN for their mount flags, so they compose in a single --fix pass without conflicting.

References