fix(docker): use ARG for POSTGRES_PASSWORD in choreo postgres Dockerfile#484
fix(docker): use ARG for POSTGRES_PASSWORD in choreo postgres Dockerfile#484prdai wants to merge 1 commit into
Conversation
…age layers Closes LDFLK#448. Hardcoded passwords in ENV and RUN instructions persist in image layers and can be inspected via `docker history`. Switched to a build-time ARG so the value is not retained in the final image, with `postgres` as the development default. Override with: docker build --build-arg POSTGRES_PASSWORD=... . Runtime connectors continue to read POSTGRES_PASSWORD from the deployment environment (e.g. Choreo config), so behavior is unchanged.
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR updates the development Postgres Docker image to avoid persisting a hardcoded superuser password at runtime by switching from ENV POSTGRES_PASSWORD to a build-time ARG, and uses that value when seeding the baked-in database.
Changes:
- Replace runtime
ENV POSTGRES_PASSWORDwith build-timeARG POSTGRES_PASSWORD. - Use the build arg when running
ALTER USER postgres ...during image build.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # FIXME: https://github.com/LDFLK/OpenGIN/issues/448 - Hardcoded password. | ||
| psql -U postgres -c "ALTER USER postgres WITH PASSWORD 'postgres';" && \ | ||
| # Set superuser password from the POSTGRES_PASSWORD build arg. | ||
| psql -U postgres -c "ALTER USER postgres WITH PASSWORD '${POSTGRES_PASSWORD}';" && \ |
| # Superuser password is only needed at build time to seed the DB. ARG keeps | ||
| # the value out of the runtime image (ENV would persist it in image layers). | ||
| # Override at build time: docker build --build-arg POSTGRES_PASSWORD=... . | ||
| ARG POSTGRES_PASSWORD=postgres |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request improves security in the PostgreSQL Dockerfile by replacing the hardcoded POSTGRES_PASSWORD environment variable with a build argument (ARG), ensuring the password is not persisted in the final image layers. Feedback suggests further enhancing security by passing the password to the psql command via a here-string instead of a command-line argument to prevent exposure in the process list.
| # FIXME: https://github.com/LDFLK/OpenGIN/issues/448 - Hardcoded password. | ||
| psql -U postgres -c "ALTER USER postgres WITH PASSWORD 'postgres';" && \ | ||
| # Set superuser password from the POSTGRES_PASSWORD build arg. | ||
| psql -U postgres -c "ALTER USER postgres WITH PASSWORD '${POSTGRES_PASSWORD}';" && \ |
There was a problem hiding this comment.
Avoid passing sensitive information like passwords as command-line arguments to prevent them from being exposed in the process list. Instead, use methods like here strings (<<<) to pass the data via standard input. This approach is more secure than using command-line variables or direct interpolation which can be logged or viewed by other users on the system.
psql -U postgres <<< "ALTER USER postgres WITH PASSWORD '${POSTGRES_PASSWORD}';"
References
- Avoid passing sensitive information like passwords as command-line arguments to prevent them from being exposed in the process list. Instead, use methods like here strings (<<<) to pass the data via standard input, or write it to a temporary file that is securely handled and deleted.
Closes #448.
Replaced hardcoded
ENV POSTGRES_PASSWORD=postgreswith a build-timeARG(defaultpostgres). Value no longer persists in the runtime image env. Override with--build-arg POSTGRES_PASSWORD=....Tested: built with custom password, verified env not baked in, TCP auth works with correct pw and fails with wrong pw.
Note: ARG still shows in
docker history. For stronger guarantees, BuildKit--secretwould be a follow-up — out of scope for #448.AI-assisted (Claude); diff and tests reviewed locally before pushing.