You may have downloaded a Docker image because it seemed useful and saved time. So did I. The issue is that there are over 10,000 Docker Hub images containing shared secret passwords and access keys.
Anyone can download such an image and see the secrets contained within that image, so this presents a risk for all users.
A lot of images have multiple secrets in them. Some images may reveal multiple systems all at once.
Anyone can download such an image and see the secrets contained within that image, so this presents a risk for all users.
What types of data were discovered?
Security researchers searched many public Docker images and found 10,456 images that contained highly sensitive information like:- Keys used for accessing cloud services
- Database credentials including usernames and passwords
- Automation tokens and CI/CD tokens
- API keys and AI service keys
Who else will be affected?
The security risk that is associated with Docker images is not limited to small developers. It also has exposed data that links to more than 100 companies including large companies and banks.A lot of images have multiple secrets in them. Some images may reveal multiple systems all at once.
How is it possible for an image to have numerous secrets?
Most leaks happen because of human error. The developer may have saved the secret(s) in a file (.env or a configuration file) and then created a Docker image without removing the file.What are some steps you can take to protect yourself?
Some simple steps you can take include:- You should not store passwords or keys in Docker images
- Also, you need to use a secret management tool
- Always you should be careful and inspect the Docker image before it is shared
- Change the keys immediately following a leak
