Yaml Env Sensitive Value Exposed
Description
Detects when sensitive information like passwords, tokens, or secrets are exposed through environment variables in Docker Compose configuration files. This vulnerability could lead to unauthorized access to sensitive data if the Docker Compose files are shared or exposed.
Detection Strategy
• Scans Docker Compose YAML configuration files for environment variable definitions
• Examines environment variable values for sensitive data patterns like passwords, tokens, or secrets
• Reports a vulnerability when environment variables contain hardcoded sensitive values instead of using secure secret management
• Identifies sensitive data exposure in both environment: blocks and env_file: references
Vulnerable code example
version: "3.9"
services:
app:
image: myapp
environment:
- API_KEY_CLOUD_CLIENT_SECRET=${APIKEY_CLIENT_SECRET} # Vulnerable: Sensitive key exposed via env var
db:
image: postgres:latest...✅ Secure code example
version: "3.9"
services:
app:
image: myapp
environment:
- API_KEY_CLOUD_CLIENT_SECRET_FILE=/run/secrets/api_key # Safe: Using Docker secrets instead of env var
secrets:
- api_key...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.