Cyber Security

How to implement Secret Scanning to prevent API keys from leaking in Docker images?

PA Asked by Patrick Scott · 22-03-2024
0 upvotes 11,427 views 0 comments
The question

We recently had a security incident where a developer accidentally hardcoded a cloud provider API key into a Dockerfile. Even though the key was deleted in a later commit, it stayed in the Docker layer history and was discovered by an attacker. How do we set up an automated "Secret Scanner" that looks at the entire Git history and the final container image? Is it better to block the commit locally on the dev's machine or scan it during the CI build?

 

3 answers

0
AN
Answered on 24-03-2024

The short answer is: you must do both. Use a tool like 'ggshield' or 'trufflehog' as a "pre-commit hook" to stop the secret from ever leaving the developer's laptop. However, since hooks can be bypassed, you also need a "failsafe" scan in your CI pipeline. For Docker specifically, use 'Trivy' or 'Clair' to scan the final image layers. If a secret is found in a hidden layer, these tools will flag the image as non-compliant. To fix your current issue, you'll need to rotate the leaked key immediately and use a tool like 'BFG Repo-Cleaner' to scrub the secret from your entire Git history before it is further exposed. 

0
GE
Answered on 26-03-2024

How are you managing your secrets now? If you move to a "Dynamic Secret" model with HashiCorp Vault, the leaked keys would only be valid for a few minutes anyway, which drastically reduces the risk. 

TH 27-03-2024

George, moving to Vault was the best decision we ever made. Instead of hardcoding keys, our apps now use a "Sidecar" to fetch a temporary token from Vault at startup. This means our Docker images contain zero secrets. Even if an attacker pulls the image from our registry, they find nothing but code. We also enabled "Secret Scanning" in GitHub, which automatically alerts us if any of our known AWS or Stripe keys appear in a public repo. This "Defense in Depth" approach has made our development process much more resilient to human error.

0
MI
Answered on 29-03-2024

Never trust the developer to remember to run the scanner. If it isn't "Enforced" in the CI/CD gateway, it doesn't exist. Automation is the only way to ensure 100% coverage. 

PA 30-03-2024

100% agree. We made the secret scan a "Hard Failure" in our pipeline. If 'trufflehog' finds so much as a suspicious string, the build stops and the security team gets paged.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session