DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
View Events Video Library
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Integrating PostgreSQL Databases with ANF: Join this workshop to learn how to create a PostgreSQL server using Instaclustr’s managed service

Mobile Database Essentials: Assess data needs, storage requirements, and more when leveraging databases for cloud and edge applications.

Monitoring and Observability for LLMs: Datadog and Google Cloud discuss how to achieve optimal AI model performance.

Automated Testing: The latest on architecture, TDD, and the benefits of AI and low-code tools.

Related

  • Automated Testing Lifecycle
  • Docker and Kubernetes Transforming Modern Deployment
  • Using Open Source for Data Integration and Automated Synchronizations
  • Mastering Node.js: The Ultimate Guide

Trending

  • Docker and Kubernetes Transforming Modern Deployment
  • Mastering Persistence: Why the Persistence Layer Is Crucial for Modern Java Applications
  • Auditing Spring Boot Using JPA, Hibernate, and Spring Data JPA
  • REST vs. Message Brokers: Choosing the Right Communication
  1. DZone
  2. Software Design and Architecture
  3. Cloud Architecture
  4. How to Avoid Leaking Sensitive Information Into Docker Images

How to Avoid Leaking Sensitive Information Into Docker Images

Learn more about Docker image security.

Liran Tal user avatar by
Liran Tal
·
May. 03, 19 · Tutorial
Like (2)
Save
Tweet
Share
7.97K Views

Join the DZone community and get the full member experience.

Join For Free

This tip is part of a complete 10 Docker image security best practices you should adopt. Thanks for reading, and thanks to Omer Levi Hevroni who worked helped me.

Sometimes, when building an application inside a Docker image, you need secrets such as an SSH private key to pull code from a private repository, or you need tokens to install private packages.

If you copy them into the Docker intermediate container, they are cached on the layer to which they were added, even if you delete them later on. These tokens and keys must be kept outside of the Dockerfile.

Using Multi-Stage Builds

By leveraging Docker support for multi-stage builds, fetch and manage secrets in an intermediate image layer that is later disposed of so that no sensitive data reaches the image build.

Use code to add secrets to said intermediate layer, such as in the following example:

FROM: ubuntu as intermediate

WORKDIR /app
COPY secret/key /tmp/
RUN scp -i /tmp/key build@acme/files .

FROM ubuntu
WORKDIR /app
COPY --from intermediate /app .


Using Docker Secret Commands

Use an alpha feature in Docker for managing secrets to mount sensitive files without caching them, similar to the following:

# syntax = docker/dockerfile:1.0-experimental
FROM alpine

# shows secret from default secret location
RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecre

# shows secret from custom secret location
RUN --mount=type=secret,id=mysecret,dst=/foobar cat /foobar


Beware of Recursive Copy

You should also be mindful when copying files into the image that is being built.

For example, the following command copies the entire build context folder, recursively, to the Docker image, which could end up copying sensitive files as well:

COPY . .


If you have sensitive files in your folder, either remove them or use .dockerignore to ignore them:

private.key
appsettings.json


The original blog post includes a high-resolution printable PDF like the snippet you see below. Check it out

Image title


Docker (software)

Opinions expressed by DZone contributors are their own.

Related

  • Automated Testing Lifecycle
  • Docker and Kubernetes Transforming Modern Deployment
  • Using Open Source for Data Integration and Automated Synchronizations
  • Mastering Node.js: The Ultimate Guide

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends: