Fix SecretsUsedInArgOrEnv: remove ENV ROOT_PASSWORD from Dockerfiles

[Copilot]

ENV ROOT_PASSWORD="password" in both Dockerfiles bakes a sensitive value into the image — visible via docker inspect and persistent across all layers — triggering the SecretsUsedInArgOrEnv lint warning.

Changes

• Dockerfile / Dockerfile-alpine: Remove ENV ROOT_PASSWORD="password", replace with a comment directing users to pass the value at runtime
• run.sh: Resolve ROOT_PASSWORD at container startup with priority order: Docker secret file → env var → default "password"

# Read ROOT_PASSWORD from Docker secret file if available, fall back to env var, then default
if [ -f /run/secrets/root_password ]; then
  export ROOT_PASSWORD=$(tr -d '\n\r' < /run/secrets/root_password)
fi
export ROOT_PASSWORD=${ROOT_PASSWORD:-password}
export ******
echo "Password is set"

Runtime usage

Method	Example
Env var	docker run -e ROOT_PASSWORD=secret ...
Docker secret	Mount secret to /run/secrets/root_password
Default (unchanged)	omit — falls back to "password" via run.sh

The HEALTHCHECK lines referencing $ROOT_PASSWORD are unaffected — the variable is available at runtime via the above mechanisms.

Original prompt

Fix Docker lint warning: SecretsUsedInArgOrEnv for ROOT_PASSWORD

Problem

Both opendj-packages/opendj-docker/Dockerfile and opendj-packages/opendj-docker/Dockerfile-alpine have ENV ROOT_PASSWORD="password" on line 11, which triggers the Docker lint warning:

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "ROOT_PASSWORD")
https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Sensitive data baked into an image via ENV is visible in docker inspect and persists in every image layer.

Required Changes

1. opendj-packages/opendj-docker/Dockerfile (line 11):
Remove ENV ROOT_PASSWORD="password" and replace it with a comment explaining how to pass the password at runtime:

# ROOT_PASSWORD should be passed at runtime via: docker run -e ROOT_PASSWORD=...
# or mount a Docker secret file to /run/secrets/root_password
# Default value if not provided: "password"

2. opendj-packages/opendj-docker/Dockerfile-alpine (line 11):
Same change — remove ENV ROOT_PASSWORD="password" and replace with the same comment.

3. opendj-packages/opendj-docker/run.sh (around lines 31-32):
Update the password resolution logic to support Docker secrets and provide the default fallback. Replace:

export PASSWORD=${ROOT_PASSWORD:-password}
echo "Password set to $PASSWORD"

With:

# Read ROOT_PASSWORD from Docker secret file if available, fall back to env var, then default
if [ -f /run/secrets/root_password ]; then
  export ROOT_PASSWORD=$(cat /run/secrets/root_password)
fi
export ROOT_PASSWORD=${ROOT_PASSWORD:-password}
export PASSWORD=${ROOT_PASSWORD}
echo "Password is set"

Note: The HEALTHCHECK commands in both Dockerfiles reference $ROOT_PASSWORD — this is fine because the variable will be available at container runtime when passed via docker run -e or set in run.sh. No changes needed to the HEALTHCHECK lines.

Backward Compatibility

• Users who previously relied on the default password (password) will still get it via the fallback in run.sh.
• Users who pass -e ROOT_PASSWORD=xxx at docker run time will continue to work.
• New support for Docker secrets (/run/secrets/root_password) is added as a best practice.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: предложи решение Sensitive data should not be used in the ARG or ENV commands: opendj-packages/opendj-docker/Dockerfile#L11
SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "ROOT_PASSWORD") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
Sensitive data should not be used in the ARG or ENV commands: opendj-packages/opendj-docker/Dockerfile-alpine#L11
SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "ROOT_PASSWORD") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Assistant: Let me also check how ROOT_PASSWORD is used in the entrypoint and bootstrap scripts.

Assistant: Now I have a complete picture of the issue and the codebase. Let me provide a comprehensive solution.

Problem

Both Dockerfile and Dockerfile-alpine use ENV ROOT_PASSWORD="password" (line 11), which triggers the Docker lint warning SecretsUsedInArgOrEnv. Sensitive data like passwords should never be baked into an image layer via ENV or ARG because:

1. The value is visible in docker inspect and image history.
2. It persists in every layer of the image, even if overridden later.

Proposed Solution

Replace the ENV ROOT_PASSWORD with a runtime-only mechanism. The password should be passed either as a Docker secret (preferred for Swarm/Compose), a mounted file, or a plain runtime environment variable (docker run -e). The key point is to remove it from the Dockerfile itself.

Changes to both Dockerfiles

1. Remove ENV ROOT_PASSWORD from both Dockerfiles:

FROM eclipse-temurin:25-jre-jammy

LABEL org.opencontainers.image.authors="Open Identity Platform Community"

ENV ADD_BASE_ENTRY="--addBaseEntry"
ENV PORT=1389
ENV LDAPS_PORT=1636
ENV ADMIN_PORT=4444
ENV BASE_DN="dc=example,dc=com"
ENV ROOT_USER_DN="cn=Directory Manager"
# ROOT_PASSWORD removed from ENV — pass at runtime via:
#   docker run -e ROOT_PASSWORD=...
#   or mount a secret file to /run/secrets/root_password
#ENV SECRET_VOLUME
ENV OPENDJ_SSL_OPTIONS="--generateSelfSignedCertificate"
#ENV MASTER_SERVER
#ENV OPENDJ_REPLICATION_TYPE
ENV OPENDJ_USER="opendj"
#ENV OPENDJ_JAVA_ARGS=""
ENV BACKEND_TYPE="je"
ENV BACKEND_DB_DIRECTORY="db"
#ENV SETUP_ARGS

The same change applies to Dockerfile-alpine (remove line 11).

**2. Update run.sh to support both env v...

This pull request was created from Copilot chat.

[vharseko]

@copilot merge from master

[Copilot]

@copilot merge from master

Done — merged master into this branch (commit d844672). The merge brought in 3 changed files from master (.github/workflows/build.yml, opendj-server-legacy/pom.xml, pom.xml) with no conflicts.