Allow better tuning of SecretsUsedInArgOrEnv check

[Nuru]

#5403 complained about the SecretsUsedInArgOrEnv check being overly strict. The example given was PUBLIC_KEY being flagged as a secret. #5410 fixed #5403 too literally, by allowing secrets if they contained the token "public". The current check:

buildkit/frontend/dockerfile/dockerfile2llb/convert.go

Lines 2539 to 2561 in bd6820a

	// Check for either full value or first/last word.
	// Examples: api_key, DATABASE_PASSWORD, GITHUB_TOKEN, secret_MESSAGE, AUTH
	// Case insensitive.
	secretsRegexpOnce.Do(func() {
	secretTokens := []string{
	"apikey",
	"auth",
	"credential",
	"credentials",
	"key",
	"password",
	"pword",
	"passwd",
	"secret",
	"token",
	}
	pattern := `(?i)(?:_|^)(?:` + strings.Join(secretTokens, "|") + `)(?:_|$)`
	secretsRegexp = regexp.MustCompile(pattern)
	allowTokens := []string{
	"public",
	}
	allowPattern := `(?i)(?:_|^)(?:` + strings.Join(allowTokens, "|") + `)(?:_|$)`

is both buggy and still too inflexible.

• It has a bug. Although it claims to "Check for either full value or first/last word", it in fact flags values containing any of the tokens anywhere (using underscore as the token separator). For example, it flags KMS_KEY_ALIAS, AWS_ACCESS_KEY_ID, and AWS_SHARED_CREDENTIALS_FILE as secrets.
• By design it flags things like KEY_NAME, KEY_ALIAS, KEY_ENABLED, CREDENTIAL_MANAGER, REQUIRE_MFA_AUTH, PASSWORD_PROMPT_STRING and so on, which are not secrets.

As a general rule, I think a check like this is impractical to tune correctly. I would prefer in not be enabled by default. I would also like a workaround that, like with other linters, would allow some kind of annotation in the Dockerfile that the ARG or ENV is not a secret.

At a minimum, I would like it to live up to its claim to only check the full value or first/last word. I think this would work:

pattern := `(?i)^(?:(` + strings.Join(secretTokens, "|") + `)(?:_.*)?|.*_(` + strings.Join(secretTokens, "|") + `))$`