The amount of the internet and cloud infrastructure that is built on public Docker images makes this… worrying.
This isn’t really surprising and isn’t actually a real security issue with Docker itself or any of the popular public images. Docker Hub is a public registry so people inexperienced with Docker accidentally include secrets in their images and upload it to Docker Hub, this is actually pretty well known and the Docker docs specifically warn people about this.
How can you be sure it doesn’t affect popular images? The probability may be lower, but I don’t think you can rule it out.
The most popular images on Docker Hub are official / library images, they are curated and monitored by Docker for best practices and security vulnerabilities. I’m not saying that means you should trust them completely, it’s always best practice to read the source of an image before you use it.
This doesn’t mean that YOUR secrets are exposed by using the image, btw - this means that whomever built that image would be accidentally exposing their secrets.
Unless you built the image and added your secrets to it and then uploaded it to a public Docker registry. But again, that’s not a flaw in Docker.
Isn’t it about people pushing their keys to public? I feel like this doesn’t affect the pulling side
Natural selection. Docker apes must suffer.
Of course. In my opinion, what Docker is used for on Hub is a different model than it was originally supposed to solve. It was designed as a solution for enterprise where the development team had no easy control over the production environment, so the solution was to bundle the platform with the software. However, your production team is usually trustworthy, so leaking secrets via the container isn’t an issue (or actually sometimes you wanted the image to include secrets).
The fact that Hub exists is a problem in itself in my opinion. Even things like the AUR - which comes with its own set of problems - is a better solution.
nix
provides a solution to build clean Docker images. But then again it only works for packages that are either in nixpkgs already or you have written a derivation for, the latter being probably more effort than a quick and dirty dockerfile.I’m sure plenty of the offenders are legitimate, but it’s completely safe to check private key pairs into code, or to bake them in to images. It entirely depends on what the key pairs are used for. Very common to include key pairs for development/test environments, for example. If it’s a production secret, of course you don’t do this.
You’re right in one sense but when you get to the last sentence your argument breaks down.
The same type of secret should be treated the same way. The problem with treating environments different is that it builds bad habits especially for new devs who come in and see it being done in a certain way. But also, humans screw up and it’s better to just build the habit of not committing anything private outside of prod-like credential stores even if it’s not the prod instance.