Skip to main content

Impact & Risk Analysis

  • Severity: Critical
  • CIS Benchmark: CIS 4.10
  • Impact: Credential Exposure. Docker images are not opaque; they contain a full history of the commands used to build them. If secrets (API keys, passwords, SSH keys) are included in the Dockerfile, they remain visible in the image layers to any user who pulls the image, even if you try to delete them in a later step.

Common Misconfiguration

Storing secrets directly in the Dockerfile using ENV variables or RUN commands. Developers often assume that because the image is compiled, the text is hidden, but docker history reveals all layer commands in plain text.

Vulnerable Example

# Vulnerable Dockerfile
FROM node:18-alpine

# VULNERABLE: Hardcoded secrets in ENV variables
# Anyone running 'docker inspect' can see this value
ENV DB_PASSWORD=supersecretpassword123
ENV AWS_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE

WORKDIR /app
COPY . .

# VULNERABLE: Passing secrets in build commands
RUN npm install --auth-token=ghp_secret_token

CMD ["node", "server.js"]

Secure Example

# Secure Dockerfile using Docker BuildKit
# Syntax required to enable BuildKit features
# syntax=docker/dockerfile:1

FROM node:18-alpine

WORKDIR /app
COPY . .

# SECURE: Use BuildKit secret mounts
# The secret is mounted only during this RUN instruction and is not saved in the image layer
RUN --mount=type=secret,id=npm_token \
    npm install --auth-token=$(cat /run/secrets/npm_token)

CMD ["node", "server.js"]

Audit Procedure

Run the command below to get the list of images: 
docker images
Run the command below for each image in the list above, and look for any secrets: 
docker history <IMAGE_ID>
Alternatively, if you have access to the Dockerfile for the image, verify that there are no secrets stored within it.

Remediation

Do not store any kind of secrets within Dockerfiles. Where secrets are required during the build process, make use of a secrets management tool, such as the BuildKit builder included with Docker, which allows mounting secrets temporarily without persisting them in the final image layers.