Secrets in Docker – The Nightmare of Data Leaks in Your Images

Did you think your secrets were safe in your Docker images? Think again! A study from the University of Aachen revealed that nearly 10% of public images on DockerHub contained secrets (identifiers, API keys, passwords, sensitive endpoints, etc.).

It’s chilling.

We’re talking about over 50,000 publicly accessible API keys and identifiers. And that’s just the tip of the iceberg because researchers from Redhunt Labs also found more than 46,000 Dockerfiles exposing sensitive information. In short, it’s a security nightmare!

But how do these secrets end up leaking like a sieve? Often, it’s due to overly permissive file operations, hard-coded secrets in Dockerfiles, etc.

For example, many tutorials and even Docker‘s official documentation suggest using COPY . . to copy the entire current directory into the image. However, this also includes sensitive files like .env or Git history. Not great for confidentiality.

And even if you delete these sensitive files after the COPY, they remain in the previous layers of the image. An attacker could still access them. Thanks, layers 🙂

Another classic mistake is directly putting secrets in the Dockerfile or passing them as build arguments. Once again, this is a gift for hackers. A simple docker history --no-trunc and boom, your secrets are exposed.

Fortunately, there are solutions to secure all this. For example, multi-stage builds allow you to isolate secrets in an intermediate stage that won’t be kept in the final image. And recently, BuildKit introduced a --secret option to inject secrets without storing them in the image, but beware of pitfalls! If your app logs the secret it uses, it will still end up in the image. Multi-stage builds remain safer in this regard.

In short, as you can see, managing secrets in Docker isn’t easy, but by following best practices, you can limit the risks.

So, think multi-stage builds, use .dockerignore, forget hard-coded secrets, and don’t overuse build arguments. And above all, make it a habit to audit your images with tools like TruffleHog. Because a leaked secret means your reputation sinks.

Mohamed SAKHRI
Mohamed SAKHRI

I'm the creator and editor-in-chief of Tech To Geek. Through this little blog, I share with you my passion for technology. I specialize in various operating systems such as Windows, Linux, macOS, and Android, focusing on providing practical and valuable guides.

Articles: 1273

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are marked *