pulumi-docker-build is vulnerable to Cleartext Storage of Sensitive Information
35
Low Risk
The docker-build:index:Image resource accepts a secrets input that holds sensitive build secret values passed directly by value. The provider schema and the language SDK do not mark this input as a Pulumi secret, so the supplied values are written to the stack state and shown in diffs and stack exports in plaintext. Anyone with access to the state file or to the operation output can read the unencrypted secrets. The fix marks the secrets input as secret in the schema and wraps it through the SDK with additional secret outputs so the values are encrypted in state.
You are affected if you are using a version that falls within the vulnerable range and pass values to the secrets input of the docker-build:index:Image resource.
pulumi-docker-build is vulnerable to Cleartext Storage of Sensitive Information in versions 0.0.1 - 0.0.19.
Upgrade the pulumi-docker-build library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant