4.10 Ensure secrets are not stored in Dockerfiles

Information

Do not store any secrets in Dockerfiles.
Rationale:
Dockerfiles could be backtracked easily by using native Docker commands such as docker history and various tools and utilities. Also, as a general practice, image publishers provide Dockerfiles to build the credibility for their images. Hence, the secrets within these Dockerfiles could be easily exposed and potentially be exploited.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Do not store any kind of secrets within Dockerfiles.
Impact:
You would need to identify a way to handle secrets for your Docker images.
Default Value:
By default, there are no restrictions on storing config secrets in the Dockerfiles.

See Also

https://workbench.cisecurity.org/files/1726

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b., CSCv6|14

Plugin: Unix

Control ID: cfb86ce6647f31fd2bfa3ae684338dbd6ce9441cb86e8c3d8a4615b7d29d5706