| 316 | } |
| 317 | |
| 318 | func (s *composeService) preChecks(ctx context.Context, project *types.Project, options api.PublishOptions) (bool, error) { |
| 319 | if ok, err := s.checkOnlyBuildSection(project); !ok || err != nil { |
| 320 | return false, err |
| 321 | } |
| 322 | bindMounts := s.checkForBindMount(project) |
| 323 | if len(bindMounts) > 0 { |
| 324 | b := strings.Builder{} |
| 325 | b.WriteString("you are about to publish bind mounts declaration within your OCI artifact.\n" + |
| 326 | "only the bind mount declarations will be added to the OCI artifact (not content)\n" + |
| 327 | "please double check that you are not mounting potential user's sensitive directories or data\n") |
| 328 | for key, val := range bindMounts { |
| 329 | b.WriteString(key) |
| 330 | for _, v := range val { |
| 331 | b.WriteString(v.String()) |
| 332 | b.WriteRune('\n') |
| 333 | } |
| 334 | } |
| 335 | b.WriteString("Are you ok to publish these bind mount declarations?") |
| 336 | confirm, err := s.prompt(b.String(), false) |
| 337 | if err != nil || !confirm { |
| 338 | return false, err |
| 339 | } |
| 340 | } |
| 341 | detectedSecrets, err := s.checkForSensitiveData(ctx, project) |
| 342 | if err != nil { |
| 343 | return false, err |
| 344 | } |
| 345 | if len(detectedSecrets) > 0 { |
| 346 | b := strings.Builder{} |
| 347 | b.WriteString("you are about to publish sensitive data within your OCI artifact.\n" + |
| 348 | "please double check that you are not leaking sensitive data\n") |
| 349 | for _, val := range detectedSecrets { |
| 350 | b.WriteString(val.Type) |
| 351 | b.WriteRune('\n') |
| 352 | fmt.Fprintf(&b, "%q: %s\n", val.Key, val.Value) |
| 353 | } |
| 354 | b.WriteString("Are you ok to publish these sensitive data?") |
| 355 | confirm, err := s.prompt(b.String(), false) |
| 356 | if err != nil || !confirm { |
| 357 | return false, err |
| 358 | } |
| 359 | } |
| 360 | err = s.checkEnvironmentVariables(ctx, project, options) |
| 361 | if err != nil { |
| 362 | return false, err |
| 363 | } |
| 364 | return true, nil |
| 365 | } |
| 366 | |
| 367 | // envCheckFindings groups everything checkEnvironmentVariables surfaces to |
| 368 | // the user during publish pre-checks for env-related leak risks. |