Did you think your secrets were safe in your Docker images? Think again! A study from the University of Aachen revealed that nearly 10% of public images on DockerHub contained secrets (identifiers, API keys, passwords, sensitive endpoints, etc.).
It’s chilling.
We’re talking about over 50,000 publicly accessible API keys and identifiers. And that’s just the tip of the iceberg because researchers from Redhunt Labs also found more than 46,000 Dockerfiles exposing sensitive information. In short, it’s a security nightmare!
But how do these secrets end up leaking like a sieve? Often, it’s due to overly permissive file operations, hard-coded secrets in Dockerfiles, etc.
For example, many tutorials and even Docker‘s official documentation suggest using COPY . .
to copy the entire current directory into the image. However, this also includes sensitive files like .env or Git history. Not great for confidentiality.
And even if you delete these sensitive files after the COPY
, they remain in the previous layers of the image. An attacker could still access them. Thanks, layers 🙂
Another classic mistake is directly putting secrets in the Dockerfile or passing them as build arguments. Once again, this is a gift for hackers. A simple docker history --no-trunc
and boom, your secrets are exposed.
Fortunately, there are solutions to secure all this. For example, multi-stage builds allow you to isolate secrets in an intermediate stage that won’t be kept in the final image. And recently, BuildKit introduced a --secret
option to inject secrets without storing them in the image, but beware of pitfalls! If your app logs the secret it uses, it will still end up in the image. Multi-stage builds remain safer in this regard.
In short, as you can see, managing secrets in Docker isn’t easy, but by following best practices, you can limit the risks.
So, think multi-stage builds, use .dockerignore, forget hard-coded secrets, and don’t overuse build arguments. And above all, make it a habit to audit your images with tools like TruffleHog. Because a leaked secret means your reputation sinks.
"Because of the Google update, I, like many other blogs, lost a lot of traffic."
Join the Newsletter
Please, subscribe to get our latest content by email.