Runner mounts socket which is $bad #4
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
As we now know from https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers, it is a considerable attack vector to expose the docker socket to other containers. We do this for the runner in
e54a564923/compose.yml (L8)
because this runner spawns its own containers. That actually can't be avoided I would say. Maybe we need to consider moving the runner to its own machine which is locked down away from other apps./cc @kawaiipunk