Skip to content
PR Preview and Visual Diff

feat: Add Challenge 60 — insecure MCP server with prompt injection leaking env var secrets #215

Sign in to view logs

feat: Add Challenge 60 — insecure MCP server with prompt injection leaking env var secrets

feat: Add Challenge 60 — insecure MCP server with prompt injection leaking env var secrets #215

Triggered via pull request March 6, 2026 06:59
@commjoencommjoen
synchronize #2400
copilot/add-mcp-challenge-endpoint
Status Success
Total duration 11m 53s
Artifacts 3

pr-preview.yml

on: pull_request
build-preview
8m 57s
build-preview
visual-diff
2m 48s
visual-diff
Fit to window
Zoom out
Zoom in

Annotations

6 warnings
Variables should be defined before their use: Dockerfile#L17
UndefinedVar: Usage of undefined variable '$argBasedVersion' More info: https://docs.docker.com/go/dockerfile/rule/undefined-var/
Sensitive data should not be used in the ARG or ENV commands: Dockerfile#L16
SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "ARG_BASED_PASSWORD") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
JSON arguments recommended for ENTRYPOINT/CMD to prevent unintended behavior related to OS signals: Dockerfile#L74
JSONArgsRecommended: JSON arguments recommended for CMD to prevent unintended behavior related to OS signals More info: https://docs.docker.com/go/dockerfile/rule/json-args-recommended/
Sensitive data should not be used in the ARG or ENV commands: Dockerfile#L21
SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "WRONGSECRETS_MCP_SECRET") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
Sensitive data should not be used in the ARG or ENV commands: Dockerfile#L19
SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "AZURE_KEY_VAULT_ENABLED") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
Sensitive data should not be used in the ARG or ENV commands: Dockerfile#L18
SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "DOCKER_ENV_PASSWORD") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Artifacts

Produced during runtime
Name Size Digest
OWASP~wrongsecrets~J2ZCF6.dockerbuild
168 KB
sha256:1b1796cd332049acc70d2f1d3c867735499a7e6799db4f25476e57b4b58bdb04
visual-diff-pr-2400
1.71 MB
sha256:00c3fa061b775ee99ef04cb0a8ad8c4570be90c31427cb39221002d244177b5b
wrongsecrets-preview-pr-2400
352 MB
sha256:d827f977466ea60e68f3625d0e9f4ed7c6158a7df88985ddeee268f9eb0c20d7