Docker Hardcoded Chpasswd Credentials
Description
Detects hardcoded credentials in Dockerfiles where passwords are set using the chpasswd command. This is a security risk because hardcoded passwords in build files can be exposed through version control or image inspection, potentially allowing unauthorized system access.
Detection Strategy
• Scans Dockerfile content line by line
• Identifies RUN commands that pipe output from echo, printf, or cat commands into chpasswd
• Reports a vulnerability when credentials are directly specified in these commands (e.g., RUN echo 'user:password' | chpasswd)
• The check is case-insensitive to catch variations in command syntax
Vulnerable code example
FROM debian:latest
# Insecure: Hardcoding plain text password directly in Dockerfile
RUN useradd -m user1 && echo 'user1:password123' | chpasswd
# Insecure: Another instance of hardcoded credentials
RUN adduser --disabled-password --gecos "" user2 && echo 'user2:supersecret' | chpasswd
...✅ Secure code example
FROM debian:bullseye-slim # Specify exact version instead of latest
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y \
passwd \
sudo \
&& rm -rf /var/lib/apt/lists/* # Clean up to reduce image size...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.