Do you use Docker images to run your software? Does running or building your image involve a password or other credential that you really (don’t) want to share with hackers?
Well, you’re in luck, because Docker makes it really easy to share your passwords, cloud credentials, and SSH private keys with the world. Whether it’s runtime secrets, build secrets, or just some random unrelated credentials you had lying around in the wrong place, Docker’s got you covered when it comes to secret leaks.
In this article we’ll cover:
- Some evidence this actually happens.
- Leaking build time secrets.
- Accidental leaks with
COPY. - Leaking runtime secrets.
- Some (partially?) missing tooling that would help fix the problem.