DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones AWS Cloud
by AWS Developer Relations
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones
AWS Cloud
by AWS Developer Relations

Trending

  • Auto-Scaling Kinesis Data Streams Applications on Kubernetes
  • Google Becomes A Java Developer's Best Friend: Instantiations Developer Tools Relaunched For Free
  • Top 10 Pillars of Zero Trust Networks
  • Managing Data Residency, the Demo
  1. DZone
  2. Software Design and Architecture
  3. Cloud Architecture
  4. How to Avoid Leaking Sensitive Information Into Docker Images

How to Avoid Leaking Sensitive Information Into Docker Images

Learn more about Docker image security.

Liran Tal user avatar by
Liran Tal
CORE ·
May. 03, 19 · Tutorial
Like (2)
Save
Tweet
Share
7.84K Views

Join the DZone community and get the full member experience.

Join For Free

This tip is part of a complete 10 Docker image security best practices you should adopt. Thanks for reading, and thanks to Omer Levi Hevroni who worked helped me.

Sometimes, when building an application inside a Docker image, you need secrets such as an SSH private key to pull code from a private repository, or you need tokens to install private packages.

If you copy them into the Docker intermediate container, they are cached on the layer to which they were added, even if you delete them later on. These tokens and keys must be kept outside of the Dockerfile.

Using Multi-Stage Builds

By leveraging Docker support for multi-stage builds, fetch and manage secrets in an intermediate image layer that is later disposed of so that no sensitive data reaches the image build.

Use code to add secrets to said intermediate layer, such as in the following example:

FROM: ubuntu as intermediate

WORKDIR /app
COPY secret/key /tmp/
RUN scp -i /tmp/key build@acme/files .

FROM ubuntu
WORKDIR /app
COPY --from intermediate /app .


Using Docker Secret Commands

Use an alpha feature in Docker for managing secrets to mount sensitive files without caching them, similar to the following:

# syntax = docker/dockerfile:1.0-experimental
FROM alpine

# shows secret from default secret location
RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecre

# shows secret from custom secret location
RUN --mount=type=secret,id=mysecret,dst=/foobar cat /foobar


Beware of Recursive Copy

You should also be mindful when copying files into the image that is being built.

For example, the following command copies the entire build context folder, recursively, to the Docker image, which could end up copying sensitive files as well:

COPY . .


If you have sensitive files in your folder, either remove them or use .dockerignore to ignore them:

private.key
appsettings.json


The original blog post includes a high-resolution printable PDF like the snippet you see below. Check it out

Image title


Docker (software)

Opinions expressed by DZone contributors are their own.

Trending

  • Auto-Scaling Kinesis Data Streams Applications on Kubernetes
  • Google Becomes A Java Developer's Best Friend: Instantiations Developer Tools Relaunched For Free
  • Top 10 Pillars of Zero Trust Networks
  • Managing Data Residency, the Demo

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com

Let's be friends: