Why is this an issue?
Sensitive data has been found in the Dockerfile or Docker image. The data should be considered breached.
If malicious third parties can get a hold of such information, they could impersonate legitimate identities within the organization.
It is a
clear breach of trust in the system, as the systems involved falsely assume that the authenticated entity is who it claims to be.
The consequences
can be catastrophic.
In Dockerfiles, secrets hard-coded, secrets passed through as variables or created at build-time will cause security risks. The secret information
can be exposed either via the container environment itself, the image metadata or the build environment logs.
Docker Buildkit’s secret mount options should be used when secrets have to be accessed at build time. For run-time secrets, best practices would
recommend only setting them at runtime, for example with the --env
option of the docker run command.
Note that files exposing the secrets should be securely stored and not exposed to a large sphere. If possible, use a secret vault or another
similar component. For example, Docker Swarm provides a secrets service that can be used to handle most confidential
data.
Noncompliant code example
The following code snippet demonstrates the creation of a file with a private key and a public key, which are then stored in the metadata of the
container.
This is non-compliant, as the private key should not be exposed anywhere.
FROM example
# Noncompliant
RUN ssh-keygen -N "passphrase" -t rsa -b 2048 -f /etc/ssh/rsa_key
RUN /example.sh --ssh /etc/ssh/rsa_key
In the following sample, the code uses a seemingly-hidden password which is actually leaked after the container is built.
FROM example
ARG PASSWORD
# Noncompliant
RUN wget --user=guest --password="$PASSWORD" https://example.com
Compliant solution
For build-time secrets, use Buildkit’s secret mount type
instead:
FROM example
RUN --mount=type=secret,id=ssh,target=/etc/ssh/rsa_key \
/example.sh --ssh /etc/ssh/rsa_key
FROM example
RUN --mount=type=secret,id=wget_passwd \
wget --user=guest --password="$(cat /run/secrets/wget_passwd)" https://example.com
For runtime secrets, leave the environment variables empty in the Dockerfile. Then store the runtime secrets in an environment file such as .env
and then start the container with the --env-file
argument:
docker run --env-file .env myImage
Resources