SONARIAC-583 Modify S6437(docker): Add Wget samples (#2981)

To merge when SONARIAC-583 is complete.

rules/S6437/docker/rule.adoc

@@ -31,9 +31,6 @@ The following code snippet demonstrates the creation of a file with a private
 key and a public key, which are then stored in the metadata of the container. +
 This is non-compliant, as the private key should not be exposed anywhere.
 
-Afterwards, the code uses a seemingly-hidden password which is actually leaked
-after the container is built.
-
 
 [source,docker, diff-id=1, diff-type=noncompliant]
 ----
@@ -45,6 +42,18 @@ RUN ssh-keygen -N "passphrase" -t rsa -b 2048 -f /etc/ssh/rsa_key
 RUN /example.sh --ssh /etc/ssh/rsa_key
 ----
 
+In the following sample, the code uses a seemingly-hidden password which is
+actually leaked after the container is built.
+
+[source,docker, diff-id=2, diff-type=noncompliant]
+----
+FROM example
+ARG PASSWORD
+
+# Noncompliant
+RUN wget --user=guest --password="$PASSWORD" https://example.com
+----
+
 === Compliant solution
 
 For build-time secrets, use
@@ -58,6 +67,14 @@ RUN --mount=type=secret,id=ssh,target=/etc/ssh/rsa_key \
     /example.sh --ssh /etc/ssh/rsa_key
 ----
 
+[source,docker, diff-id=2, diff-type=compliant]
+----
+FROM example
+
+RUN --mount=type=secret,id=wget_passwd \
+    wget --user=guest --password="$(cat /run/secrets/wget_passwd)" https://example.com
+----
+
 For runtime secrets, leave the environment variables empty in the Dockerfile.
 Then store the runtime secrets in an
 https://docs.docker.com/compose/env-file/[environment file] such as `.env` and