Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(checks): add secrets leak check in Dockerfile #265

Merged
merged 12 commits into from
Oct 16, 2024
Merged

feat(checks): add secrets leak check in Dockerfile #265

merged 12 commits into from
Oct 16, 2024

Conversation

nikpivkin
Copy link
Contributor

@nikpivkin nikpivkin commented Oct 7, 2024
edited
Loading

Close aquasecurity/trivy#7639

The check is triggered in the following cases:

  1. Using a secret environment variable in the argument (ARG) or environment variable (ENV).

Dockerfile:

FROM alpine
ARG GITHUB_TOKEN

Output:

CRITICAL: Possible exposure of secret env "GITHUB_TOKEN" in ARG
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Passing secrets via `build-args` or envs or copying secret files can leak them out

See https://avd.aquasec.com/misconfig/ds031
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Dockerfile:4
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   4 [ ARG GITHUB_TOKEN
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  1. Copying a secret file, such as an AWS credential file, to an image.

Dockerfile:

FROM alpine
ENV AWS_CONFIG_FILE=/.aws/config
COPY ./config $AWS_CONFIG_FILE

Output:

CRITICAL: Possible exposure of secret file "AWS_CONFIG_FILE" in COPY
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Passing secrets via `build-args` or envs or copying secret files can leak them out

See https://avd.aquasec.com/misconfig/ds031
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Dockerfile.dev1:3
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   3 [ COPY ./config $AWS_CONFIG_FILE
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Or

FROM alpine
COPY . .
ENV GOOGLE_APPLICATION_CREDENTIALS="./news-extraction.json"
  1. Setting credentials via the setup command.
    Dockerfile:
FROM amazon/aws-cli:latest

RUN aws configure set aws_access_key_id test-id && \
    aws configure set aws_secret_access_key test-key

Output:

CRITICAL: Possible exposure of secret in RUN
═══════════════════════════════════════════════════════════════════════════════════════════════════════════
Passing secrets via `build-args` or envs or copying secret files can leak them out

See https://avd.aquasec.com/misconfig/ds031
───────────────────────────────────────────────────────────────────────────────────────────────────────────
 Dockerfile.dev5:3-4
───────────────────────────────────────────────────────────────────────────────────────────────────────────
   3 ┌ RUN aws configure set aws_access_key_id test-id && \
   4 └     aws configure set aws_secret_access_key test-key
───────────────────────────────────────────────────────────────────────────────────────────────────────────

This ignores the instructions that the secret mount uses:

# syntax=docker/dockerfile:1

FROM python:3.9-slim

RUN apt-get update && apt-get install -y curl unzip \
    && curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \
    && unzip awscliv2.zip \
    && ./aws/install

RUN --mount=type=secret,id=aws-key-id,env=AWS_ACCESS_KEY_ID \
    --mount=type=secret,id=aws-secret-key,env=AWS_SECRET_ACCESS_KEY \
    aws configure set aws_access_key_id $(cat /run/secrets/aws-key-id) && \
    aws configure set aws_secret_access_key $(cat /run/secrets/aws-secret-key)

@nikpivkin
Copy link
Contributor Author

@simar7 Do we need to create two separate checks for secret checking and password detection?

simar7
simar7 reviewed Oct 8, 2024
View reviewed changes
checks/docker/leaked_secrets.rego
# avd_id: AVD-DS-0031
# severity: CRITICAL
# short_code: do-not-pass-secrets
# recommended_action: Use secret mount if secrets are needed during image build. Use volume mount if secret files are needed during container runtime.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# recommended_action: Use secret mount if secrets are needed during image build. Use volume mount if secret files are needed during container runtime.
# recommended_action: Use secret mount if secrets are needed during image build. Use volume mount if secured files are needed during container runtime.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why “secured”?

simar7
simar7 reviewed Oct 8, 2024
View reviewed changes
cmd/id/main.go
Comment on lines +18 to +19
rules.Reset()
rego.LoadAndRegister()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curious why this change?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This only loads Rego checks.

simar7
simar7 reviewed Oct 8, 2024
View reviewed changes
checks/docker/leaked_secrets.rego Outdated
Comment on lines 66 to 70
# TODO: Should arguments be checked?
is_arg_or_env(cmd) if {
check_args
cmd == "arg"
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what's a case that you are thinking to check the args for?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Made it enabled by default 9fc294b

@nikpivkin nikpivkin requested a review from simar7 October 9, 2024 15:40
@nikpivkin
Copy link
Contributor Author

@simar7 Do we need to create two separate checks for secret checking and password detection?

Added this here 5ad893d

@nikpivkin @simar7
feat(checks): add secrets leak check in Dockerfile
5bbf318 
Signed-off-by: Nikita Pivkin <[email protected]>
@nikpivkin @simar7
feat: check credentials setup in RUN
5ce9d95 
Signed-off-by: Nikita Pivkin <[email protected]>
@nikpivkin @simar7
refactor: move functions to lib
efdcf73 
Signed-off-by: Nikita Pivkin <[email protected]>
@nikpivkin @simar7
check arguments by default
7b87dfb 
Signed-off-by: Nikita Pivkin <[email protected]>
@nikpivkin @simar7
use included_envs from data
d44d3eb 
Signed-off-by: Nikita Pivkin <[email protected]>
@nikpivkin @simar7
remove exluded_envs
773da6a 
Signed-off-by: Nikita Pivkin <[email protected]>
@nikpivkin @simar7
use regex to find credential setup commands
228b756 
Signed-off-by: Nikita Pivkin <[email protected]>
@nikpivkin @simar7
feat: check secret keywords in arg and env
d0c11da 
Signed-off-by: Nikita Pivkin <[email protected]>
@nikpivkin @simar7
add more envs
77f5ee3 
Signed-off-by: Nikita Pivkin <[email protected]>
@nikpivkin @simar7
feat: handle multiple decls in arg and env
4f3c4d7 
Signed-off-by: Nikita Pivkin <[email protected]>
@nikpivkin @simar7
update rules
178c621 
Signed-off-by: Nikita Pivkin <[email protected]>
@nikpivkin
add usr and psw tokens
8a715fb 
Signed-off-by: Nikita Pivkin <[email protected]>
@nikpivkin nikpivkin marked this pull request as ready for review October 14, 2024 07:13
@nikpivkin
Copy link
Contributor Author

nikpivkin commented Oct 14, 2024
edited
Loading

@simar7 I added the ability to add custom environment variables to easily extend the check.

❯ cat my-envs.yaml
ds031:
  included_envs: ["MY_SECRET"]

❯ cat Dockerfile.custom
from alpine

arg MY_SECRET

❯ trivy conf -d Dockerfile.custom --config-data my-envs.yaml
CRITICAL: Possible exposure of secret env "MY_SECRET" in ARG
═══════════════════════════════════════════════════════════════════════════════════════════════════════════
Passing secrets via `build-args` or envs or copying secret files can leak them out

See https://avd.aquasec.com/misconfig/ds031
───────────────────────────────────────────────────────────────────────────────────────────────────────────
 Dockerfile.custom:3
───────────────────────────────────────────────────────────────────────────────────────────────────────────
   3 [ arg MY_SECRET
───────────────────────────────────────────────────────────────────────────────────────────────────────────

This can also be implemented for secret tokens if there is a need.

@simar7 simar7 added this pull request to the merge queue Oct 16, 2024
Merged via the queue into aquasecurity:main with commit 4b62f66 Oct 16, 2024
5 checks passed
@nikpivkin nikpivkin deleted the docker-secrets branch October 16, 2024 04:13
@irbull
Copy link

irbull commented Oct 30, 2024
edited
Loading

We just got bit flagged by this today. It's not clear why this just happened today as this was merged 2 weeks ago.

However, the URL it suggests to visit for more information, returns a 404: https://avd.aquasec.com/misconfig/ds031.

Is that a separate issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simar7 simar7 simar7 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat(checks): Adding IAC check for secrets inserted into docker layer
3 participants
@nikpivkin @irbull @simar7