构建一个包含 Maven settings.xml 的 Docker 镜像 - 这是一种不好的做法吗？

Question

We have this use case where we want to run acceptance tests on our application with maven. For this we are looking into building our docker image with maven settings.xml copied into it. Obviously, the settings xml contains sensitive data about connection to remote artefact repos etc. I am in a dilemma, whether we should copy it in the docker image, or is it a bad practice and we should be looking into other ways to achieve this.

Edit - Another point, our docker images are pushed to private registries which are accessible only to authorised users

Answer 1

There's absolutely no security around the contents of a Docker image. Anyone who gets the image can trivially read its docker history and read or copy arbitrary files out of the image.

As such I'd try very hard to keep credentials out of my Docker image build process entirely. If the settings.xml file has usernames and passwords in it, it's much better to find a different way to do the setup required. Similarly, adding an ssh private key, AWS credentials, or a GitHub access token to an image will compromise those credentials.

If the settings.xml file only contains internal hostnames (but not credentials), or if the password is intentionally bad, it's a question of how much risk you're willing to tolerate. If you have a URL like http://build:passw0rd@build.internal.example.com where that internal hostname isn't externally accessible, you could argue that's "enough" security given the very guessable username and password and you don't need to go out of your way to hide it, especially if you think you can trust your end users.