alulsh / alulsh.github.io Goto Github PK

Hello 👋

I Really enjoyed reading your blog. Recently at work we have been iterating over our Dockerfile for some nodeJS apps and it was great as a reference to communicate trade-offs.

One of our devops/platform engineers showed me a very cool thing not covered in either this article, or the linked one on secrets; so I wanted to contact you, to tell you about it.

Apparently (automated CI builds have succeeded using this), you can both commit a .npmrc, and maintain security using nothing more than a file with wrote environment expansion, and using ARG not ENV to in a build stage make the secret value available.

registry=https://your-domain-6438763483.d.codeartifact.eu-west-1.amazonaws.com/npm/team/
@products:registry=https://your-domain-6438763483.d.codeartifact.eu-west-1.amazonaws.com/npm/team/
//your-domain-6438763483.d.codeartifact.eu-west-1.amazonaws.com/npm/team/:_authToken=${NPM_TOKEN}

FROM node:18-alpine as base
ARG NPM_TOKEN
RUN npm set progress=false
EXPOSE 3000
WORKDIR /usr/src/app
COPY ./path-to/npmrc.template ./npmrc
COPY ./path-to/code /usr/src/app
RUN npm ci --omit=optional --no-audit

# ---- as many other stages as you like / need ----

FROM base AS release
RUN npm prune --omit=optional --no-audit --omit=dev
CMD npm start

• If someone does steal the .npmrc file, they only know the environment variable you are storing the code in.
• If (like I will be), you use something with an automated CLI to generate an ephemeral token value, then you may have something like --duration-seconds that you can pass to for example aws codeartifact get-authorization-token, which then can be used to mitigate the token validity through lifetime, in even CI pipelines.
• if you use npm token create within official or supported environments, you could use --read-only with --cidr based IP pattern restriction. npm token docs

Anyway, I hope this is useful if you did not already know about it.