Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Docker static code analysis

Unique rules to find Vulnerabilities, Security Hotspots, and Code Smells in your DOCKER code

Filtered: 19 rules found

cwe

Credentials should not be hard-coded

Vulnerability

BlockerSonarSource default severity
click to learn more

Why is this an issue?

Sensitive data has been found in the Dockerfile or Docker image. The data should be considered breached.

If malicious third parties can get a hold of such information, they could impersonate legitimate identities within the organization.
It is a clear breach of trust in the system, as the systems involved falsely assume that the authenticated entity is who it claims to be.
The consequences can be catastrophic.

In Dockerfiles, secrets hard-coded, secrets passed through as variables or created at build-time will cause security risks. The secret information can be exposed either via the container environment itself, the image metadata or the build environment logs.

Docker Buildkit’s secret mount options should be used when secrets have to be accessed at build time. For run-time secrets, best practices would recommend only setting them at runtime, for example with the --env option of the docker run command.

Note that files exposing the secrets should be securely stored and not exposed to a large sphere. If possible, use a secret vault or another similar component. For example, Docker Swarm provides a secrets service that can be used to handle most confidential data.

Noncompliant code example

The following code snippet demonstrates the creation of a file with a private key and a public key, which are then stored in the metadata of the container.
This is non-compliant, as the private key should not be exposed anywhere.

FROM example

# Noncompliant
RUN ssh-keygen -N "passphrase" -t rsa -b 2048 -f /etc/ssh/rsa_key

RUN /example.sh --ssh /etc/ssh/rsa_key

In the following sample, the code uses a seemingly-hidden password which is actually leaked after the container is built.

FROM example
ARG PASSWORD

# Noncompliant
RUN wget --user=guest --password="$PASSWORD" https://example.com

Compliant solution

For build-time secrets, use Buildkit’s secret mount type instead:

FROM example

RUN --mount=type=secret,id=ssh,target=/etc/ssh/rsa_key \
    /example.sh --ssh /etc/ssh/rsa_key

FROM example

RUN --mount=type=secret,id=wget_passwd \
    wget --user=guest --password="$(cat /run/secrets/wget_passwd)" https://example.com

For runtime secrets, leave the environment variables empty in the Dockerfile. Then store the runtime secrets in an environment file such as .env and then start the container with the --env-file argument:

docker run --env-file .env myImage

Resources

Dockerfile reference - RUN command secrets mount points
Docker documentation - Manage sensitive data with Docker secrets
MITRE, CWE-522 - Insufficiently Protected Credentials
MITRE, CWE-798 - Use of Hard-coded Credentials

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted