Azure Devops - how to build pipeline that uses npm securely for docker images



This is a setup for npm, docker images and react app (This doesn't matter i guess)

In this post, we are going to be building a secure pipeline. When we say secure, we mean

a) No PAT token is saved in source code or as a insecure variable. No credential is leak We also separate the pipeline and allow it to evolve independently.


b) No token is written into docker image. User wil not be able to use docker inspect  / docker history to obtain PAT token.

In a nutshell, we use Azure Devops and build machine to install npm packages. Then copy all the files, assets and node_modules into docker for next steps to build it.

I know some of you might say, we want a full containerized build. This is a good way too, if you think about it. you don't have to generate user .npmrc file and somehow maintain that in variable group. It just make the steps so much simpler.


This is the Azure Devops build pipeline setup



Let's look at the dockerfile setup






Comments

Post a Comment

Popular posts from this blog

The specified initialization vector (IV) does not match the block size for this algorithm

Image
If you're getting  exception when trying to assigned key to a symmetric key and getting error message below :- The specified initialization vector (IV) does not match the block size for this algorithm And your code probably look like something below :- Then you need to go into debug mode and start looking into the supported size for IV as shown in diagram below :- As you can see, IV is 16 bytes, so you need to provide 16 bytes. The same goes for Key field too, if you're adding anything to it. As long as you provide a valid key size, then we're good and you're code will be ready.
Read more