Summary
When using Keycloak as an oidc provider, the clientsecret gets printed into the container stdout logs for an example at container startup.
Details
Container Image (15.04.2025): ghcr.io/project-zot/zot-linux-amd64:latest
Here is an example how the configuration can look which causes the above stated problem:
http: address: "0.0.0.0" port: 5000 externalUrl: "https://zot.example.com" auth: { failDelay: 1, openid: { providers: { oidc: { name: "Keycloak", clientid: "zot-client-id", clientsecret: fsdfkmmiwljasdklfsjaskldjfkljewijrf234i52k3j45l, keypath: "", issuer: "https://keycloak.example.com/realms/example", scopes: ["openid"] } } } }
PoC
Set up a blank new zot k8s deployment with the code snippet above.
Impact
exposure of secrets, on configuring a oidc provider
lgtm-dude Reporter
Summary
When using Keycloak as an oidc provider, the clientsecret gets printed into the container stdout logs for an example at container startup.
Details
Container Image (15.04.2025): ghcr.io/project-zot/zot-linux-amd64:latest
Here is an example how the configuration can look which causes the above stated problem:
http: address: "0.0.0.0" port: 5000 externalUrl: "https://zot.example.com" auth: { failDelay: 1, openid: { providers: { oidc: { name: "Keycloak", clientid: "zot-client-id", clientsecret: fsdfkmmiwljasdklfsjaskldjfkljewijrf234i52k3j45l, keypath: "", issuer: "https://keycloak.example.com/realms/example", scopes: ["openid"] } } } }PoC
Set up a blank new zot k8s deployment with the code snippet above.
Impact
exposure of secrets, on configuring a oidc provider