Why is this an issue?
Sensitive data has been found in the Dockerfile or Docker image. The data should be considered breached.
If malicious third parties can get a hold of such information, they could impersonate legitimate identities within the organization.
It is a
clear breach of trust in the system, as the systems involved falsely assume that the authenticated entity is who it claims to be.
The consequences
can be catastrophic.
In Dockerfiles, secrets hard-coded, secrets passed through as variables or created at build-time will cause security risks. The secret information
can be exposed either via the container environment itself, the image metadata or the build environment logs.
Docker Buildkit’s secret mount options should be used when secrets have to be accessed at build time. For run-time secrets, best practices would
recommend only setting them at runtime, for example with the --env
option of the docker run command.
Note that files exposing the secrets should be securely stored and not exposed to a large sphere. If possible, use a secret vault or another
similar component. For example, Docker Swarm provides a secrets service that can be used to handle most confidential
data.
Noncompliant code example
FROM example
ARG PASSWORD
# Noncompliant
RUN wget --user=guest --password="$PASSWORD" https://example.com
Compliant solution
For build-time secrets, use Buildkit’s secret mount type
instead:
FROM example
RUN --mount=type=secret,id=build_secret \
wget --user=guest --password=$(cat /run/secrets/build_secret) https://example.com
For runtime secrets, leave the environment variables empty until runtime:
FROM example
ENV ACCESS_TOKEN=""
CMD /run.sh
Store the runtime secrets in an environment file (such as .env
) and then start
the container with the --env-file
argument:
docker run --env-file .env myImage
Resources