Application Insights Connection String Baked into Docker Image Layer Metadata via CI/CD Pipeline

A security misconfiguration in the frontend Docker build pipeline exposes the Application Insights connection string within persistent image layer metadata, creating a secrets-leakage vector accessible to anyone with container registry access. The vulnerability stems from how `VITE_APPINSIGHTS_CONNECTION_STRING` is passed as a Docker build argument and subsequently stored in the image layer history during the build stage.

The issue resides in `src/chat-app/frontend/Dockerfile` (lines 5-8) and its integration with the GitHub Actions workflow at `.github/workflows/frontend-build.yml` (line 78). While embedding the telemetry key in the client-side JavaScript bundle is expected behavior for Application Insights, passing it as a Docker build argument causes the value to persist in layer metadata rather than remaining ephemeral at runtime. Unlike runtime environment variables, build arguments leave forensic traces in the image history that can be extracted using standard tools like `docker history` or registry API queries. An attacker who gains read access to the container registry could retrieve the instrumentation key without ever running the container.

Security researchers classify this as Medium severity under OWASP category A05:2021 (Security Misconfiguration). The blast radius for Application Insights ingestion keys is limited compared to database credentials or authentication tokens, but the exposed key could still enable an adversary to inject false telemetry data, disrupt observability operations, or map internal application endpoints exposed through the instrumentation configuration. The fix involves shifting secrets injection to runtime environment variables, using Docker secrets management, or leveraging build-time secret mounts that do not persist in layer metadata. Organizations with images already pushed to shared registries should treat the key as compromised and rotate it immediately.