Building untrusted container images safely at scale

(depot.dev)
5 points Telstrom90 | 4 comments | 26 Jun 25 18:22 UTC | HN request time: 1.003s | source
1. adastra22 ◴[26 Jun 25 18:56 UTC] No.44390244[source]
I'm confused--what's the security risk in building a container?
replies(1): >>44391126 #
2. Telstrom90 ◴[26 Jun 25 20:42 UTC] No.44391126[source]
You're running untrusted code. Every RUN command in a user's Dockerfile is executed during build, which means you're executing arbitrary commands from strangers on your own infrastructure. If you're not isolating that properly, it's a security risk.
replies(1): >>44392775 #
3. adastra22 ◴[27 Jun 25 00:27 UTC] No.44392775{3}[source]
Inside the container though. The whole point of which is that it sandboxes and isolates the running code.