4.10 Ensure secrets are not stored in Dockerfiles

Information

Do not store any secrets in Dockerfiles.

Rationale:

Docker images are not opaque and contain information about the commands used to build them. As such secrets should not be included in Dockerfiles used to build images as they will be visible to any users of the image.

Impact:

A proper secrets management process will be required for Docker image building.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Do not store any kind of secrets within Dockerfiles. Where secrets are required during the build process, make use of a secrets management tool, such as the buildkit builder included with Docker.

Default Value:

By default, there are no restrictions on storing config secrets in the Dockerfiles.

See Also

https://workbench.cisecurity.org/files/4532

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(10), CSCv7|13

Plugin: Unix

Control ID: 3ccdc54a03caa56f206aa4b985c26581dc5cbccb345fd9535120f21cc0c97364