feat(checks): Adding IAC check for secrets inserted into docker layer #7639
Comments
simar7
added
kind/feature
|
Should the check find potential use of secrets in the Dockerfile, or find secrets in the docker history? |
It's already supported. I think we need the former. |
|
Then I think we can define secrets in the following ways:
We can also take into account setting environment variables in a specific way. You need to add the VITE and REACT_APP prefix to pass environment variables to React or Vite applications, respectively. Here is an example of a Dockerfile (the repository has 2.7k stars) with multiple credentials set up this way: https://github.com/hahahumble/speechgpt/blob/215e3a07a65eafede2ba3257939a4e59cfd01ae6/Dockerfile#L4-L10 Docker has the ability to pass secrets and we need to take this into account to avoid false positives. Example: https://github.com/super-linter/super-linter/blob/c4fe4da1f3bda7fd0f28bf92dd357fb9feeef5bf/Dockerfile#L103 |
|
We have the ability to pass user data to the checks, so users will have the ability to extend the check or disable some rules. |
|
Also, we should only analyze the final stage commands |
Do you have an example for this? Do you mean define user based exceptions to detections? |
@nikpivkin Just thinking about this: if the secret was present in an intermediate layer but later removed from subsequent layers, it is still exposed via the history right? |
I think @nikpivkin is talking about multi-stage builds. |
I meant multi-stage build. The image history only stores information about the final stage. |
We can define the following rule: included_envs := included if {
is_array(ds031.included_envs)
included := {e | some e in ds031.included_envs}
} else := set()Then the user can include additional environment variables: ❯ cat my-envs.yaml
ds031:
included_envs: ["MY_SECRET"]
❯ cat Dockerfile.custom
from alpine
arg MY_SECRET
❯ trivy conf -d Dockerfile.custom --config-data my-envs.yaml
CRITICAL: Possible exposure of secret env "MY_SECRET" in ARG
═══════════════════════════════════════════════════════════════════════════════════════════════════════════
Passing secrets via `build-args` or envs or copying secret files can leak them out
See https://avd.aquasec.com/misconfig/ds031
───────────────────────────────────────────────────────────────────────────────────────────────────────────
Dockerfile.custom:3
───────────────────────────────────────────────────────────────────────────────────────────────────────────
3 [ arg MY_SECRET
─────────────────────────────────────────────────────────────────────────────────────────────────────────── |
|
@simar7 I found a discussion about the parametrization of checks. |
Discussed in #7570
Originally posted by tzurielweisberg September 22, 2024
Description
Wbserved recently that when the secrets are passed to docker build with --build-args, it saved into the image layers unexposed and that leads to a secret leak if someone inspects the image layers or reviews the scan layers from Aqua UI for the scanned image.
We need a IAC rule for Dockefile to search for Secrets/Password usage.
It of course will be matched in secret scanning later, but we want to know about it before
Target
Filesystem
Scanner
Misconfiguration
The text was updated successfully, but these errors were encountered: