Docker Secrets Detection

Scan Docker configuration files for exposed secrets, credentials, and sensitive data.

File Scanning Targets

Dockerfile

docker-compose*.yml

.env

.env.*

entrypoint.sh

Detection Patterns

1. Hardcoded Passwords

# CRITICAL: Password in Dockerfile (persists in image layers)
ENV MYSQL_ROOT_PASSWORD=SuperSecret123
ARG ADMIN_PASSWORD=admin123

# CRITICAL: Password in docker-compose.yml
services:
  database:
    environment:
      POSTGRES_PASSWORD: my_secret_password

2. API Keys and Tokens

# CRITICAL: API keys in build args
ARG GITHUB_TOKEN=ghp_ABCDEFghijklmnop1234567890
ENV STRIPE_SECRET_KEY=sk_live_xxxxxxxxxxxxxxxxxxxx
ENV AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

3. Private Keys and Certificates

# CRITICAL: Private key copied into image
COPY id_rsa /root/.ssh/id_rsa
COPY server.key /etc/ssl/private/server.key
ENV PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----\nMIIE..."

4. Database Connection Strings

# CRITICAL: Full connection string with credentials
ENV DATABASE_URL="postgresql://admin:secret@db:5432/myapp"
ENV REDIS_URL="redis://:password@redis:6379/0"

5. Default and Weak Passwords

# HIGH: Default/weak passwords in compose
services:
  database:
    environment:
      POSTGRES_PASSWORD: postgres
      MYSQL_ROOT_PASSWORD: root

Grep Patterns

# Passwords in Docker files
Grep: "(PASSWORD|PASSWD|PASS)\s*[:=]\s*['\"]?[a-zA-Z0-9!@#$%^&*()_+]{4,}" --glob "**/Dockerfile*" --glob "**/docker-compose*.yml" --glob "**/.env*"

# API keys and tokens
Grep: "(API_KEY|API_SECRET|ACCESS_KEY|SECRET_KEY|AUTH_TOKEN)\s*[:=]\s*['\"]?[a-zA-Z0-9_\-]{10,}" --glob "**/Dockerfile*" --glob "**/.env*"

# GitHub token pattern
Grep: "ghp_[a-zA-Z0-9]{36}" --glob "**/Dockerfile*" --glob "**/.env*"

# AWS key pattern
Grep: "AKIA[0-9A-Z]{16}" --glob "**/Dockerfile*" --glob "**/.env*"

# Private keys
Grep: "PRIVATE.KEY|BEGIN RSA|BEGIN EC|BEGIN OPENSSH" --glob "**/Dockerfile*"
Grep: "COPY.*(\.pem|\.key|id_rsa|id_ed25519)" --glob "**/Dockerfile*"

# Connection strings with credentials
Grep: "(mysql|postgres|postgresql|mongodb|redis)://[^:]+:[^@]+@" --glob "**/Dockerfile*" --glob "**/.env*"

# Default passwords
Grep: "(PASSWORD|PASSWD)\s*[:=]\s*['\"]?(password|root|admin|secret|123456)['\"]?" -i --glob "**/docker-compose*.yml" --glob "**/.env*"

# Credentials in entrypoint scripts
Grep: "(-p['\"][^'\"]+['\"]|--password[= ]['\"]?[a-zA-Z0-9])" --glob "**/entrypoint*.sh"

False Positive Handling

PASSWORD=${DB_PASSWORD}

${}

$()

password: ""

# ENV PASSWORD=xxx

#

PASSWORD_FILE=/run/secrets/db

*_FILE

.env.example

.example

Remediation Patterns

Docker Compose Secrets

services:
  php-fpm:
    secrets: [db_password, api_key]
    environment:
      DB_PASSWORD_FILE: /run/secrets/db_password
secrets:
  db_password:
    file: ./secrets/db_password.txt
  api_key:
    external: true

BuildKit Build Secrets

RUN --mount=type=secret,id=composer_auth,target=/root/.composer/auth.json \
    composer install --no-dev
# Usage: docker build --secret id=composer_auth,src=auth.json .

Severity Classification

Output Format

### Secret Detected: [Type]

**Severity:** Critical/High/Medium
**File:** `<file_path>:<line>`
**Type:** Password / API Key / Token / Private Key / Connection String

**Detection:**

// Matched pattern (redacted)

**Risk:**
[What could be compromised with this secret]

**Remediation:**
```yaml
// Secure alternative using Docker secrets or env_file

Verification Checklist:

• Secret removed from file
• File added to .gitignore if needed
• Git history cleaned if secret was committed
• Secret rotated (old value is compromised)