Docker Wget Password Hardcoded
Description
Identifies hardcoded credentials in Docker files where wget commands contain plaintext passwords. This is a security risk as hardcoded passwords in Docker files can be exposed in version control, images, and build logs, potentially leading to unauthorized access to protected resources.
Detection Strategy
• Check for lines starting with 'RUN' in Dockerfile
• Look for wget commands that include the '--password' parameter
• Verify if the password value is hardcoded (enclosed in quotes) rather than using a variable
• Flag cases where passwords are directly specified instead of using environment variables or secrets management
Vulnerable code example
FROM ubuntu:20.04
# Vulnerable: Hardcoded credentials exposed in RUN command
RUN wget --user=guest --password="secretpass123" https://example.com/files
WORKDIR /app✅ Secure code example
FROM ubuntu:20.04
# Use Docker secrets to handle credentials securely
# .wgetrc file will contain credentials and is mounted at runtime
RUN --mount=type=secret,id=wget_creds,target=/root/.wgetrc \
wget https://example.com/files
WORKDIR /appSearch for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.