• Latest
  • Trending
The Three OT Security Dangers of R&R

Scanning Docker Images for Secrets

December 1, 2021
Inaugural AfCFTA Conference on Women and Youth in Trade

Inaugural AfCFTA Conference on Women and Youth in Trade

September 6, 2022
Instagram fined €405m over children’s data privacy

Instagram fined €405m over children’s data privacy

September 6, 2022
8 Most Common Causes of a Data Breach

5.7bn data entries found exposed on Chinese VPN

August 18, 2022
Fibre optic interconnection linking Cameroon and Congo now operational

Fibre optic interconnection linking Cameroon and Congo now operational

July 15, 2022
Ericsson and MTN Rwandacell Discuss their Long-Term Partnership

Ericsson and MTN Rwandacell Discuss their Long-Term Partnership

July 15, 2022
Airtel Africa Purchases $42M Worth of Additional Spectrum

Airtel Africa Purchases $42M Worth of Additional Spectrum

July 15, 2022
Huawei steps up drive for Kenyan talent

Huawei steps up drive for Kenyan talent

July 15, 2022
TSMC predicts Q3 revenue boost thanks to increased iPhone 13 demand

TSMC predicts Q3 revenue boost thanks to increased iPhone 13 demand

July 15, 2022
Facebook to allow up to five profiles tied to one account

Facebook to allow up to five profiles tied to one account

July 15, 2022
Top 10 apps built and managed in Ghana

Top 10 apps built and managed in Ghana

July 15, 2022
MTN Group to Host the 2nd Edition of the MoMo API Hackathon

MTN Group to Host the 2nd Edition of the MoMo API Hackathon

July 15, 2022
KIOXIA Introduce JEDEC XFM Removable Storage with PCIe/NVMe Spec

KIOXIA Introduce JEDEC XFM Removable Storage with PCIe/NVMe Spec

July 15, 2022
  • Consumer Watch
  • Kids Page
  • Directory
  • Events
  • Reviews
Monday, 30 January, 2023
  • Login
itechnewsonline.com
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion
Subscription
Advertise
No Result
View All Result
itechnewsonline.com
No Result
View All Result

Scanning Docker Images for Secrets

by ITECHNEWS
December 1, 2021
in Opinion
0 0
0
The Three OT Security Dangers of R&R

Introduction

When we talk about secret sprawl, we immediately think about API keys, passwords, credentials or any secret lurking in some source code.

For sure, source code is very tightly linked to secret sprawl. Unfortunately, this is not the only origin of sensitive information leaks.

YOU MAY ALSO LIKE

Making Biometrics Work: 3 Ways To Jumpstart the Process

How to prevent cyberbullying: Keeping students safe

Security teams looking to secure the entire perimeter of an application need to consider all possible sources of leaks. One of these sources is Docker images.

Docker Images

What is a Docker image? A Docker image is a read-only template (a file) containing instructions for creating a container that can run on the Docker platform. It describes a filesystem that contains everything required to run the application: dependencies, source code, binaries, environment variables and some metadata.

Docker images are built as a stack of modifications (just like some VCS do), and, from an image, it is possible to retrieve each of the previous steps and the modifications applied. SRE teams mainly use Docker for portability and easy software deployment.

Where Are the Secrets Hiding?

First of all, Docker images embed source code, and as with any source code, it is likely to contain secrets. Sure, source code can be protected using tools like GitGuardian. Still, since the code published in the image may be altered later by the publisher or the publishing process, Docker images can go round the security checks.

An example is a developer building an image from his local project with unpublished changes (such as files in the .gitignore) who will then publish the image.

Then you have the configuration of the Dockerfile. Secrets can be added through the Dockerfile, either directly or by adding a file containing secrets. It is very common to require some sort of credentials to build or run an application: to access a package manager, to connect to other services…since Docker is mainly used to be run on any machine, it could sound okay at first to include the secrets as well.

Finally, the layered structure of a Docker image is very prone to leaks. A layer can hide the secrets from the previous one so that it is not visible in the final state while still in the image. Moreover, unlike source code, no one digs into Docker image layers to review it.

For all those reasons, we decided to test and implement a dedicated secret scanner to find secrets in Docker images:  ggshield scan docker

Why You Should Care

Just as source code, Docker images can be published in shared repositories, publicly on hub.docker.com, or in a company registry. All of these places represent a potential threat.

Take, for example, this year’s Codecov breach. The application Docker image contained Git credentials that allowed an attacker to gain access to Codecov’s private Git repositories and slip a backdoor in their product, which would later affect a considerable number of Codecov’s 22,000 users.

Methodology to Scan at Scale

As previously explained, secrets can be embedded in images in several places and at different stages of the build.

When building a Docker image from scratch, most of the layers consist of the installation of tools such as Debian or language-specific packages. These are not the layers containing secrets.

The layers that can contain secrets are the ones where files are manually added or copied, or environment variables modified. Fortunately, Docker images contain a manifest file that describes all the different operations performed to build the image. This manifest is used to filter the layers that are related to custom commands from the user for scanning. We then extract files and environment variables from these layers and pipe them into our scanner.

Scanning Docker Hub

After scrapping the Docker Hub API, we found that 7% of the images contained at least one secret. Our analysis was performed on a sample of 2,000 public images recently pushed to Docker Hub.

The “Other” category contains all generic credentials: secrets that don’t provide information on the secret provider, like high entropy strings (although we can never be sure these are “real” secrets, the algorithm can infer the probability based on the surrounding context). Since the end of 2017, we have had a strong focus on detecting specific secrets used by developers in source code,. However, it seems that secrets embedded in Docker images are different and maybe more related to internal services than what we are used to.

First, we notice that secrets types are far fewer in Docker images: a straightforward explanation is that there are far fewer public images (~8.5 million) on Docker Hub than public repositories on GitHub (several hundred million). Yet, our continuous monitoring of the latter showed that the more volume, the more diversity.

Second, private keys’ presence is very limited in source code (2.8%) compared to images (23.1%). It is not a surprise either, considering private keys are more often used for container system communication and authentication.

Conclusion

Docker images, because of their structure and usage, are likely to contain hidden secrets. We found that 7% of public images have secrets. Therefore, you should take into account this attack surface, which is now actively exploited by hackers, as demonstrated earlier this year by the Codecov incident. While good security hygiene is undoubtedly needed (we have produced a cheat sheet on containers’ security best practices), automatic scanning has become a must to harden your supply chain. This is why implementing a CI step scanning for secrets (ggshield, SecretScanner) is needed as much as scanning for vulnerabilities (Clair, Trivy, Docker Bench for Security).

Thomas Segura Content Writer, GitGuardian

ShareTweetShare
Plugin Install : Subscribe Push Notification need OneSignal plugin to be installed.

Search

No Result
View All Result

Recent News

Inaugural AfCFTA Conference on Women and Youth in Trade

Inaugural AfCFTA Conference on Women and Youth in Trade

September 6, 2022
Instagram fined €405m over children’s data privacy

Instagram fined €405m over children’s data privacy

September 6, 2022
8 Most Common Causes of a Data Breach

5.7bn data entries found exposed on Chinese VPN

August 18, 2022

About What We Do

itechnewsonline.com

We bring you the best Premium Tech News.

Recent News With Image

Inaugural AfCFTA Conference on Women and Youth in Trade

Inaugural AfCFTA Conference on Women and Youth in Trade

September 6, 2022
Instagram fined €405m over children’s data privacy

Instagram fined €405m over children’s data privacy

September 6, 2022

Recent News

  • Inaugural AfCFTA Conference on Women and Youth in Trade September 6, 2022
  • Instagram fined €405m over children’s data privacy September 6, 2022
  • 5.7bn data entries found exposed on Chinese VPN August 18, 2022
  • Fibre optic interconnection linking Cameroon and Congo now operational July 15, 2022
  • Home
  • InfoSec
  • Opinion
  • Africa Tech
  • Data Storage

© 2021-2022 iTechNewsOnline.Com - Powered by BackUPDataSystems

No Result
View All Result
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion

© 2021-2022 iTechNewsOnline.Com - Powered by BackUPDataSystems

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
Go to mobile version