Semgrep Registry - dockerfile.security.secret-in-build-arg.secret-in-build-arg

Docker build time arguments are not suited for secrets, because the argument values are saved with the image. Running docker image history on the image will show information on how the image was built, including arguments. If these contain plain text secrets, anyone with access to the docker image can access those secrets and exploit them.

Defintion

Open in Playground

rules:
  - id: secret-in-build-arg
    patterns:
      - pattern-either:
          - pattern: ARG $ARG
          - pattern: ARG $ARG=...
      - metavariable-regex:
          metavariable: $ARG
          regex: (?i).*(password|secret|token|key|cert|api|auth)
    message: Docker build time arguments are not suited for secrets, because the
      argument values are saved with the image. Running `docker image history`
      on the image will show information on how the image was built, including
      arguments. If these contain plain text secrets, anyone with access to the
      docker image can access those secrets and exploit them.
    metadata:
      category: security
      technology:
        - dockerfile
      cwe:
        - "CWE-538: Insertion of Sensitive Information into
          Externally-Accessible File or Directory"
      owasp:
        - A01:2021 - Broken Access Control
      references:
        - https://cwe.mitre.org/data/definitions/538.html
        - https://docs.docker.com/engine/reference/builder/#arg
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    languages:
      - dockerfile
    severity: WARNING

# ok: secret-in-build-arg ARG BASE_IMG=rust # ok: secret-in-build-arg ARG BASE_TAG=latest FROM ${BASE_IMG}:${BASE_TAG} # ok: secret-in-build-arg ARG environment # ok: secret-in-build-arg ARG BUILD_PACKAGES="ruby-dev build-base curl-dev git openssl bash" # ok: secret-in-build-arg ARG DEV_PACKAGES="postgresql-dev" # ok: secret-in-build-arg ARG RUBY_PACKAGES="tzdata" # ok: secret-in-build-arg ARG NAME_IS_OK="secret password token key" # ruleid: secret-in-build-arg ARG SECRET_KEY_BASE # ruleid: secret-in-build-arg ARG SECRET_TOKEN # ruleid: secret-in-build-arg ARG AUTH_TOKEN="this-is-a-secret" # ruleid: secret-in-build-arg ARG SSH_PRIVATE_KEY # ruleid: secret-in-build-arg ARG CERT_PASSWORD # ruleid: secret-in-build-arg ARG DJANGO_SECRET_KEY # ruleid: secret-in-build-arg ARG NEXUS_PASSWORD # ruleid: secret-in-build-arg ARG nexus_password

dockerfile.security.secret-in-build-arg.secret-in-build-arg

Run Locally

Run in CI

Defintion

Examples

secret-in-build-arg.dockerfile