dockerfile.security.secret-in-build-arg.secret-in-build-arg
semgrep
Author
unknown
Download Count*
License
Docker build time arguments are not suited for secrets, because the argument values are saved with the image. Running docker image history
on the image will show information on how the image was built, including arguments. If these contain plain text secrets, anyone with access to the docker image can access those secrets and exploit them.
Run Locally
Run in CI
Defintion
rules:
- id: secret-in-build-arg
patterns:
- pattern-either:
- pattern: ARG $ARG
- pattern: ARG $ARG=...
- metavariable-regex:
metavariable: $ARG
regex: (?i).*(password|secret|token|key|cert|api|auth)
message: Docker build time arguments are not suited for secrets, because the
argument values are saved with the image. Running `docker image history`
on the image will show information on how the image was built, including
arguments. If these contain plain text secrets, anyone with access to the
docker image can access those secrets and exploit them.
metadata:
category: security
technology:
- dockerfile
cwe:
- "CWE-538: Insertion of Sensitive Information into
Externally-Accessible File or Directory"
owasp:
- A01:2021 - Broken Access Control
references:
- https://cwe.mitre.org/data/definitions/538.html
- https://docs.docker.com/engine/reference/builder/#arg
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- dockerfile
severity: WARNING
Examples
secret-in-build-arg.dockerfile
# ok: secret-in-build-arg
ARG BASE_IMG=rust
# ok: secret-in-build-arg
ARG BASE_TAG=latest
FROM ${BASE_IMG}:${BASE_TAG}
# ok: secret-in-build-arg
ARG environment
# ok: secret-in-build-arg
ARG BUILD_PACKAGES="ruby-dev build-base curl-dev git openssl bash"
# ok: secret-in-build-arg
ARG DEV_PACKAGES="postgresql-dev"
# ok: secret-in-build-arg
ARG RUBY_PACKAGES="tzdata"
# ok: secret-in-build-arg
ARG NAME_IS_OK="secret password token key"
# ruleid: secret-in-build-arg
ARG SECRET_KEY_BASE
# ruleid: secret-in-build-arg
ARG SECRET_TOKEN
# ruleid: secret-in-build-arg
ARG AUTH_TOKEN="this-is-a-secret"
# ruleid: secret-in-build-arg
ARG SSH_PRIVATE_KEY
# ruleid: secret-in-build-arg
ARG CERT_PASSWORD
# ruleid: secret-in-build-arg
ARG DJANGO_SECRET_KEY
# ruleid: secret-in-build-arg
ARG NEXUS_PASSWORD
# ruleid: secret-in-build-arg
ARG nexus_password
Short Link: https://sg.run/w6wA