dockerfile.security.secret-in-build-arg.secret-in-build-arg

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*
LGPL Commons Clause
License

Docker build time arguments are not suited for secrets, because the argument values are saved with the image. Running docker image history on the image will show information on how the image was built, including arguments. If these contain secrets, anyone with access to the docker image can access those secrets.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: secret-in-build-arg
    patterns:
      - pattern: ARG $ARG
      - metavariable-regex:
          metavariable: $ARG
          regex: (?i).*(password|secret|token)
    message: Docker build time arguments are not suited for secrets, because the
      argument values are saved with the image. Running `docker image history`
      on the image will show information on how the image was built, including
      arguments. If these contain secrets, anyone with access to the docker
      image can access those secrets.
    metadata:
      category: security
      technology:
        - dockerfile
      cwe:
        - "CWE-538: Insertion of Sensitive Information into
          Externally-Accessible File or Directory"
      owasp:
        - A01:2021 - Broken Access Control
      references:
        - https://cwe.mitre.org/data/definitions/538.html
        - https://docs.docker.com/engine/reference/builder/#arg
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - dockerfile
    severity: WARNING

Examples

secret-in-build-arg.dockerfile

# ok: secret-in-build-arg
ARG BASE_IMG=rust
# ok: secret-in-build-arg
ARG BASE_TAG=latest

FROM ${BASE_IMG}:${BASE_TAG}

# ok: secret-in-build-arg
ARG environment

# ok: secret-in-build-arg
ARG BUILD_PACKAGES="ruby-dev build-base curl-dev git openssl bash"

# ok: secret-in-build-arg
ARG DEV_PACKAGES="postgresql-dev"

# ok: secret-in-build-arg
ARG RUBY_PACKAGES="tzdata"

# ok: secret-in-build-arg
ARG NAME_IS_OK="secret password token key"

# ruleid: secret-in-build-arg
ARG SECRET_KEY_BASE

# ruleid: secret-in-build-arg
ARG SECRET_TOKEN

# ruleid: secret-in-build-arg
ARG DJANGO_SECRET_KEY

# ruleid: secret-in-build-arg
ARG NEXUS_PASSWORD

# ruleid: secret-in-build-arg
ARG nexus_password