1FROM node:20-alpine AS builder
2ARG NPM_TOKEN
3WORKDIR /app
4COPY . .
5RUN echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc && \
6 npm install && rm .npmrc
7
8FROM node:20-alpine
9WORKDIR /app
10COPY --from=builder /app /app
11CMD ["node", "server.js"]
no lines flagged
#076PracticeHard30 min · 200 XP
Build Secret Leaked into Final Image Layer
A private npm registry token used during the build is recoverable from the published image, even though the final stage never references it.
Flagged linesNo lines flagged yet
What's wrong?
Flag a line or write a note to submit.