Why is this an issue?

Sensitive data has been found in the Dockerfile or Docker image. The data should be considered breached.

If malicious third parties can get a hold of such information, they could impersonate legitimate identities within the organization.
It is a clear breach of trust in the system, as the systems involved falsely assume that the authenticated entity is who it claims to be.
The consequences can be catastrophic.

In Dockerfiles, secrets hard-coded, secrets passed through as variables or created at build-time will cause security risks. The secret information can be exposed either via the container environment itself, the image metadata or the build environment logs.

Docker Buildkit’s secret mount options should be used when secrets have to be accessed at build time. For run-time secrets, best practices would recommend only setting them at runtime, for example with the --env option of the docker run command.

Note that files exposing the secrets should be securely stored and not exposed to a large sphere. If possible, use a secret vault or another similar component. For example, Docker Swarm provides a secrets service that can be used to handle most confidential data.

Noncompliant code example

The following code snippet demonstrates the creation of a file with a private key and a public key, which are then stored in the metadata of the container.
This is non-compliant, as the private key should not be exposed anywhere.

FROM example

# Noncompliant
RUN ssh-keygen -N "passphrase" -t rsa -b 2048 -f /etc/ssh/rsa_key

RUN /example.sh --ssh /etc/ssh/rsa_key

In the following sample, the code uses a seemingly-hidden password which is actually leaked after the container is built.

FROM example
ARG PASSWORD

# Noncompliant
RUN wget --user=guest --password="$PASSWORD" https://example.com

Compliant solution

For build-time secrets, use Buildkit’s secret mount type instead:

FROM example

RUN --mount=type=secret,id=ssh,target=/etc/ssh/rsa_key \
    /example.sh --ssh /etc/ssh/rsa_key

FROM example

RUN --mount=type=secret,id=wget_passwd \
    wget --user=guest --password="$(cat /run/secrets/wget_passwd)" https://example.com

For runtime secrets, leave the environment variables empty in the Dockerfile. Then store the runtime secrets in an environment file such as .env and then start the container with the --env-file argument:

docker run --env-file .env myImage

Resources

• Dockerfile reference - RUN command secrets mount points
• Docker documentation - Manage sensitive data with Docker secrets
• MITRE, CWE-522 - Insufficiently Protected Credentials
• MITRE, CWE-798 - Use of Hard-coded Credentials