Merge pull request #6501 from jonasgeiler/feat/SecretsUsedInArgOrEnv-ignore-file-version

tonistiigi · web-flow · commit bb7bb2048e72 · 2026-02-05T11:48:10.000-08:00
frontend: prevent `SecretsUsedInArgOrEnv` warning for `_FILE`/`_VERSION` ARG/ENV names
diff --git a/frontend/dockerfile/dockerfile2llb/convert.go b/frontend/dockerfile/dockerfile2llb/convert.go
@@ -2616,6 +2616,8 @@ func getSecretsRegex() (*regexp.Regexp, *regexp.Regexp) {
 
 		allowTokens := []string{
 			"public",
+			"file",
+			"version",
 		}
 		allowPattern := `(?i)(?:_|^)(?:` + strings.Join(allowTokens, "|") + `)(?:_|$)`
 		secretsAllowRegexp = regexp.MustCompile(allowPattern)
diff --git a/frontend/dockerfile/dockerfile_lint_test.go b/frontend/dockerfile/dockerfile_lint_test.go
@@ -244,6 +244,9 @@ ENV apikey=bar sunflower=foo
 ENV git_key=
 ENV PUBLIC_KEY=
 ARG public_token
+ARG SECRET_PASSPHRASE_FILE
+ENV password_file=bar secret_File=baz
+ARG AUTH_MODULE_VERSION
 # check=skip=SecretsUsedInArgOrEnv // allow secret in environment
 ENV password=bar
 # check=skip=SecretsUsedInArgOrEnv // allow secret in arg

Original file line number	Diff line number	Diff line change
`@@ -2616,6 +2616,8 @@ func getSecretsRegex() (regexp.Regexp, regexp.Regexp) {`
`2616`	`2616`
`2617`	`2617`	`allowTokens := []string{`
`2618`	`2618`	`"public",`
	`2619`	`+ "file",`
	`2620`	`+ "version",`
`2619`	`2621`	`}`
`2620`	`2622`	allowPattern := `(?i)(?:_\|^)(?:` + strings.Join(allowTokens, "\|") + `)(?:_\|$)`
`2621`	`2623`	`secretsAllowRegexp = regexp.MustCompile(allowPattern)`