Dockerfile is free of stored secrets

docker

Classification:

compliance

Framework:

cis-docker

Control:

4.10

Set up the docker integration.

Description

Do not store any secrets in Dockerfiles.

Rationale

Docker images are not opaque and contain information about the commands used to build them. As such secrets should not be included in Dockerfiles used to build images as they will be visible to any users of the image.

Audit

  1. Run this command to get the list of images: docker images
  2. Run this command for each image in the list above, and look for any secrets: docker history <Image_ID>

Alternatively, if you have access to Dockerfile for the image, verify that there are no secrets as described above.

Remediation

Do not store any kind of secrets within Dockerfiles. Where secrets are required during the build process, make use of a secrets management tool, such as the buildkit builder included with Docker.

Impact

A proper secrets management process will be required for Docker image building.

Default value

By default, there are no restrictions on storing config secrets in the Dockerfiles.

References

  1. https://github.com/docker/docker/issues/13490
  2. http://12factor.net/config
  3. https://avicoder.me/2016/07/22/Twitter-Vine-Source-code-dump/
  4. https://docs.docker.com/develop/develop-images/build_enhancements/

CIS controls

Version 6

14 Controlled Access Based on the Need to Know