Skip to content

fix: remove hardcoded OPENIDM_PASSWORD from ENV, use shell default in HEALTHCHECK#149

Merged
vharseko merged 2 commits into
masterfrom
copilot/remove-openidm-password-env
Apr 8, 2026
Merged

fix: remove hardcoded OPENIDM_PASSWORD from ENV, use shell default in HEALTHCHECK#149
vharseko merged 2 commits into
masterfrom
copilot/remove-openidm-password-env

Conversation

Copilot AI commented Apr 8, 2026

Copy link
Copy Markdown
Contributor

ENV OPENIDM_PASSWORD="openidm-admin" in both Dockerfiles bakes the password into every image layer, exposing it via docker inspect/docker history and triggering the SecretsUsedInArgOrEnv lint rule.

Changes

  • Dockerfile / Dockerfile-alpine: Remove ENV OPENIDM_PASSWORD="openidm-admin" (line 7 in both files)
  • HEALTHCHECK: Replace bare $OPENIDM_PASSWORD with ${OPENIDM_PASSWORD:-openidm-admin} — preserves the default while allowing runtime override via -e OPENIDM_PASSWORD=…
# Before
ENV OPENIDM_PASSWORD="openidm-admin"
HEALTHCHECK ... --header "X-OpenIDM-Password: $OPENIDM_PASSWORD" ...

# After
HEALTHCHECK ... --header "X-OpenIDM-Password: ${OPENIDM_PASSWORD:-openidm-admin}" ...
Original prompt

Problem

Both Dockerfile (line 7) and Dockerfile-alpine (line 7) define a sensitive password via ENV:

ENV OPENIDM_PASSWORD="openidm-admin"

This violates Docker best practice rule SecretsUsedInArgOrEnv — sensitive data should not be baked into image layers via ARG or ENV instructions, as it becomes visible through docker inspect / docker history.

The OPENIDM_PASSWORD variable is only used in the HEALTHCHECK command in both files.

Required Changes

1. Dockerfile (line 7)

Remove the line:

ENV OPENIDM_PASSWORD="openidm-admin"

Update the HEALTHCHECK command (line 32) to use a shell default value so it remains backward-compatible:

Replace $OPENIDM_PASSWORD with ${OPENIDM_PASSWORD:-openidm-admin} in the HEALTHCHECK curl command.

The HEALTHCHECK line should look like:

HEALTHCHECK --interval=30s --timeout=30s --start-period=10s --retries=3 CMD curl -i -o - --silent --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: ${OPENIDM_PASSWORD:-openidm-admin}"  http://localhost:8080/openidm/info/ping 2>&1 | grep -q "ACTIVE_READY"

2. Dockerfile-alpine (line 7)

Remove the line:

ENV OPENIDM_PASSWORD="openidm-admin"

Update the HEALTHCHECK command (line 33) identically — replace $OPENIDM_PASSWORD with ${OPENIDM_PASSWORD:-openidm-admin} in the HEALTHCHECK curl command.

Why

  • The password will no longer be stored in image layers.
  • Backward compatibility is preserved via the ${OPENIDM_PASSWORD:-openidm-admin} shell default.
  • Users can override the password at runtime via docker run -e OPENIDM_PASSWORD=... or Docker secrets.
  • Docker linters (hadolint, Docker Scout) will no longer report the SecretsUsedInArgOrEnv warning.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: предложи решение Sensitive data should not be used in the ARG or ENV commands: Dockerfile#L7
SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "OPENIDM_PASSWORD") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
Sensitive data should not be used in the ARG or ENV commands: Dockerfile-alpine#L7
SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "OPENIDM_PASSWORD") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Assistant:

Let me first examine the current Dockerfiles to understand how OPENIDM_PASSWORD is being used.

Assistant: Давайте разберём проблему и предложу решение.

Проблема

В обоих файлах (Dockerfile и Dockerfile-alpine) на строке 7 пароль OPENIDM_PASSWORD задаётся через ENV, что:

  1. Сохраняет секрет в слоях образа — любой, кто имеет доступ к образу, может выполнить docker inspect или docker history и увидеть пароль.
  2. Нарушает best-practice Docker — правило SecretsUsedInArgOrEnv.

OPENIDM_PASSWORD используется в одном месте — в HEALTHCHECK (строка 32/33).

Решение

Заменить ENV OPENIDM_PASSWORD на передачу секрета в runtime через переменную окружения при запуске контейнера (docker run -e), а в HEALTHCHECK читать её из файла или из окружения процесса.

Вариант 1 (рекомендуемый): Runtime-переменная + файл секрета

Убираем ENV OPENIDM_PASSWORD=... и используем Docker-секреты или переменную окружения, передаваемую при запуске:

Dockerfile:

FROM eclipse-temurin:25-jre-jammy

LABEL org.opencontainers.image.authors="Open Identity Platform Community"

ENV USER="openidm"
ENV OPENIDM_OPTS="-server -XX:+UseContainerSupport --add-exports java.base/com.sun.jndi.ldap=ALL-UNNAMED -Dlogback.configurationFile=conf/logging-config.groovy"

ARG VERSION

WORKDIR /opt

#COPY openidm-zip/target/openidm-*.zip ./

RUN apt-get update \
 && apt-get install -y --no-install-recommends curl unzip \
 && bash -c 'if [ ! -z "$VERSION" ] ; then rm -rf ./*.zip ; curl -L https://github.com/OpenIdentityPlatform/OpenIDM/releases/download/$VERSION/openidm-$VERSION.zip --output openidm-$VERSION.zip ; fi' \
 && unzip openidm-*.zip && rm -rf *.zip \
 && apt-get remove -y --purge unzip \
 && rm -rf /var/lib/apt/lists/* \
 && useradd -m -r -u 1001 -g root $USER \
 && install -d -o $USER /opt/openidm \
 && chown -R $USER:root /opt/openidm \
 && chgrp -R 0 /opt/openidm \
 && chmod -R g=u /opt/openidm \
 && chmod +x /opt/openidm/*.sh

EXPOSE 8080

USER $USER

HEALTHCHECK --interval=30s --timeout=30s --start-period=10s --retries=3 CMD curl -i -o - --silent --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: ${OPENIDM_PASSWORD:-openidm-admin}"  http://localhost:8080/openidm/info/ping 2>&1 | grep -q "ACTIVE_READY"

ENTRYPOINT ["/opt/openidm/startup.sh"]

Dockerfile-alpine:


</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

*This pull request was created from Copilot chat.*
>

Copilot AI changed the title [WIP] Remove sensitive password from Dockerfile fix: remove hardcoded OPENIDM_PASSWORD from ENV, use shell default in HEALTHCHECK Apr 8, 2026
Copilot AI requested a review from vharseko April 8, 2026 09:30
@vharseko vharseko marked this pull request as ready for review April 8, 2026 09:41
@vharseko vharseko requested a review from maximthomas April 8, 2026 09:41
@vharseko vharseko merged commit 3beb3e8 into master Apr 8, 2026
14 checks passed
@vharseko vharseko deleted the copilot/remove-openidm-password-env branch April 8, 2026 10:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants