Yaml Sshpass Hardcoded Password
Description
Detects hardcoded SSH passwords in Docker Compose files through the use of 'sshpass' command. This poses a security risk as storing passwords in plain text within Docker configuration files could lead to unauthorized access if the files are exposed or compromised.
Detection Strategy
• Scan Docker Compose YAML files for 'command:' entries
• Check if the command value contains 'sshpass' usage with hardcoded passwords
• Flag any instances where SSH passwords are directly specified in Docker Compose commands rather than using secure authentication methods
Vulnerable code example
version: '3'
services:
app:
image: myapp
command: ["sshpass", "-p", "secret123", "sftp", "user@server"] # Vulnerable: Hardcoded password in command
db:
image: database...✅ Secure code example
version: '3.8'
services:
app:
image: myapp
secrets:
- sftp_pass
environment:...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.