Docker Env Sensitive Value Exposed
Description
Detects hardcoded sensitive information exposed in Dockerfile ENV instructions. This poses a security risk since secrets embedded directly in Dockerfiles can be exposed through version control systems or Docker image inspection, potentially leading to unauthorized access.
Detection Strategy
• Identifies ENV instructions in Dockerfile that set environment variables
• Checks if the environment variable name contains sensitive terms like 'password', 'secret', 'api_key', 'license_key', or 'jboss_pass'
• Verifies the value is hardcoded (not using variable interpolation like $VAR or #{VAR}#)
• Reports a vulnerability when a sensitive environment variable contains a literal value instead of using secure secret management
Vulnerable code example
# Dockerfile with insecure environment variable declarations
ENV API_KEY '123' # Vulnerable: Hardcoded API key in plaintext
ENV NEW_USER='123' # Vulnerable: Hardcoded user credentials
ENV API_KEY_CLOUD_CLIENT_SECRET=abc # Vulnerable: Exposing secret in plain text✅ Secure code example
# Dockerfile with secure environment variable declarations
ENV API_KEY=${API_KEY} # Safe: References external environment variable
ENV NEW_USER=${NEW_USER} # Safe: User credentials passed at runtime
ENV API_KEY_CLOUD_CLIENT_SECRET=${CLIENT_SECRET} # Safe: Secret injected from environment
# Optional runtime configuration
ENV READ_TIMEOUT=10000 \
CONNECTION_TIMEOUT=10000 \...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.