Shulou(Shulou.com)05/31 Report--

This article mainly introduces "how to prevent disclosure of Docker sensitive information". In daily operation, I believe that many people have doubts about how to prevent disclosure of Docker sensitive information. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts of "how to prevent disclosure of Docker sensitive information". Next, please follow the editor to study!

Overview

Containers and Docker make our daily life more convenient, but at the same time, it is also easy to accidentally leak some information to the public and cause security problems. Passwords, cloud credentials and SSH private keys can be leaked if they are not configured properly. Unless a security event policy is established and comprehensive protection is established, there are some cases:

Codecov supply chain attacks:

On April 1, 2021, due to a misconfiguration of a Docker file in Codecov, an attacker could steal credentials and modify the Bash Uploader script used by the customer. The Bash Uploaders was modified by malicious code and environment variables and keys collected from some customers' CI/CD environments were disclosed to an attacker-controlled server.

Affected by this event, the GPG key used by HashiCorp to issue signature and verification has been compromised. At present, the private key has been changed periodically using the rotation mechanism.

Other leaks caused by Docker Hub public images include, but are not limited to:

AWS accounts and credentials, SSH private keys, Azure keys, .npmrc tokens, Docker Hub accounts, PyPI repository keys, SMTP server authentication information, eCAPTCHA passwords, Twitter API keys, Jira keys, Slack keys, and other keys.

COPY method

A common COPY method in DockerFile syntax:

FROM debian:buster COPY. / app

By default, this statement copies everything in the current directory to the mirror. Files that may contain sensitive information in these contents: such as site .env.

Once sensitive information is placed in a Docker image, it can be seen by any user who can access the image. To prevent the disclosure of sensitive information due to COPY:

Restrict copying: copy only the specific files or directories that are necessary. For example,

COPY setup.py myapp/app .

.dockerkeeper: use .dockerkeeper to ensure that sensitive files are not copied into the image. A typical configuration:

NOTICE README.md LICENSE AUTHORS.md CONTRIBUTING.md .vscode / vendor/ env/ ENV/ build/ dist/ target/ downloads/ eggs/ .codes / lib/ lib64/ parts/ sdist/ var/ Dockerfile .git .editorconfig * .egg-info/ .in stalled.cfg * .egg * .manifest * .spec .gcloudignore .gitignore .tox / .dockerroom.cover.coverage. * .cache htmlcov/ nosetests.xml coverage.xml *, cover .cache / ssh/ id_rsa. Git-credentials config.*

Avoid manually generating images: the development environment is more likely to involve sensitive files than the CICD automatic generation system, so manually generating public images in the development environment is more likely to lead to disclosure.

Use the CI environment variable: if the CI or build environment needs to make confidential information, you need to configure it in the environment variable instead of accessing it through a file.

Image compilation

Sometimes you need to use secrets when building Docker images, such as passwords to access private package repositories.

FROM python:3.9 RUN pip install\-extra-index-url User:pass@priveapk.example\ package privatepackage

Including a user name and password directly in URL will directly cause it to be compromised. You can apply it in the form of environment variables:

Export MYSECRET=secretpassword export DOCKER_BUILDKIT=1 docker build-secret-secret id=mysecret,env=MYSECRET. Run time

Some passwords need to be accessed while the container is running, such as the credentials to access the database. The same runtime secrets cannot be stored directly in the mirror.

In addition to the accidental disclosure caused by the contents of the image, this configuration stored in the image is also bound to the environment, which makes it difficult for the image to run flexibly. There are several ways to pass secrets to the container when you run the container:

Use environment variables.

The volume that binds the confidential file.

Password management mechanism of orchestration system (such as K8S).

In a public cloud environment, cloud environment variables and authorizations can be used. For example, AWS's IAM role management.

External KeyStore.

Through these mechanisms, runtime sensitive information can be avoided from being stored in the mirror itself.

Security scanning

In addition to some of the above management strategies, another proactive approach is to automatically perform security scans. There are many password scanning tools on the market, which can scan directories or Git repositories, and will alarm directly if they contain sensitive information. Like detect-secrets,trufflehog.

There are also tools for scanning images, such as pentester, which can scan Docker Hub images to find problems.

At this point, the study on "how to prevent the disclosure of Docker sensitive information" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.