> ## Documentation Index
> Fetch the complete documentation index at: https://guide.codepure.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Ensure Secrets Are Not Stored in Dockerfiles (CIS 4.10)

> Prevent credential theft by removing hardcoded secrets from Dockerfiles

## Impact & Risk Analysis

* **Severity:** Critical
* **CIS Benchmark:** CIS 4.10
* **Impact:** **Credential Exposure.** Docker images are not opaque; they contain a full history of the commands used to build them. If secrets (API keys, passwords, SSH keys) are included in the Dockerfile, they remain visible in the image layers to any user who pulls the image, even if you try to delete them in a later step.

## Common Misconfiguration

Storing secrets directly in the Dockerfile using `ENV` variables or `RUN` commands. Developers often assume that because the image is compiled, the text is hidden, but `docker history` reveals all layer commands in plain text.

## Vulnerable Example

```dockerfile theme={null}
# Vulnerable Dockerfile
FROM node:18-alpine

# VULNERABLE: Hardcoded secrets in ENV variables
# Anyone running 'docker inspect' can see this value
ENV DB_PASSWORD=supersecretpassword123
ENV AWS_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE

WORKDIR /app
COPY . .

# VULNERABLE: Passing secrets in build commands
RUN npm install --auth-token=ghp_secret_token

CMD ["node", "server.js"]

```

## Secure Example

```dockerfile theme={null}
# Secure Dockerfile using Docker BuildKit
# Syntax required to enable BuildKit features
# syntax=docker/dockerfile:1

FROM node:18-alpine

WORKDIR /app
COPY . .

# SECURE: Use BuildKit secret mounts
# The secret is mounted only during this RUN instruction and is not saved in the image layer
RUN --mount=type=secret,id=npm_token \
    npm install --auth-token=$(cat /run/secrets/npm_token)

CMD ["node", "server.js"]

```

## Audit Procedure

Run the command below to get the list of images:

```bash theme={null}
docker images

```

Run the command below for each image in the list above, and look for any secrets:

```bash theme={null}
docker history <IMAGE_ID>

```

Alternatively, if you have access to the Dockerfile for the image, verify that there are no secrets stored within it.

## Remediation

Do not store any kind of secrets within Dockerfiles. Where secrets are required during the build process, make use of a secrets management tool, such as the **BuildKit builder** included with Docker, which allows mounting secrets temporarily without persisting them in the final image layers.
