Docker Secret Mount Overpermissive Mode

Description

Detects overly permissive permissions on Docker secret or SSH mounts. When secrets or SSH keys are mounted with write or execute permissions (modes ending in 3 or 7), it creates a security risk by allowing mounted sensitive data to be modified or executed.

Weakness:

266 - Excessive Privileges - Docker

Category: Information Collection

Detection Strategy

• Scans Dockerfile content line by line looking for 'RUN' instructions

• Identifies mount commands that use secret or ssh type (--mount=type=secret or --mount=type=ssh)

• Checks if the mount command includes a mode parameter set to a value ending in 3 or 7 (e.g. 0773, 443, 777)

• Reports a vulnerability when sensitive mounts have write or execute permissions

Vulnerable code example

FROM ubuntu:20.04

# Unsafe: mode=0777 exposes secret with full read/write/execute permissions to all users
RUN --mount=type=secret,id=build_secret,mode=0777 ./installer.sh

✅ Secure code example

FROM ubuntu:20.04

# Safe: mode=0700 restricts secret access to only the owner (root)
RUN --mount=type=secret,id=build_secret,mode=0700 ./installer.sh

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.