SecretScanner icon indicating copy to clipboard operation
SecretScanner copied to clipboard
verified publisher icon deepfence

Password Env not found in Image

Open 53845714nF opened this issue 1 year ago • 3 comments

Hello, I build a small Python App with this Dockerfile:

FROM docker.io/library/python:3.8
ENV PYTHONDONTWRITEBYTECODE=1
ENV PYTHONUNBUFFERED=1

WORKDIR /app
COPY requirements.txt /app/
RUN pip install -r requirements.txt

ENV POSTGRES_HOST=database
ENV POSTGRES_USER=postgres
ENV POSTGRES_PASSWORD=postgres
ENV POSTGRES_DB=shopping_list

COPY . /app/

EXPOSE 8000
CMD ["gunicorn", "--bind", "0.0.0.0:8000", "app:app"]

Code and image are on Github: https://github.com/53845714nF/MarketMinder/

I use ThreatMapper with the SecretScanner: image

They have found 17 secrets, but not one of this is the POSTGRES_PASSWORD. Are ENVs not checked? I have created the images according to OCI, could this be a problem?

53845714nF avatar Jun 23 '24 21:06 53845714nF

Hi @53845714nF OCI image is supported. Currently SecretScanner only scans for secrets and keys in the filesystem. Environment vars are not scanned. Feel free to raise a feature-request if that is needed someone might pickup.

ibreakthecloud avatar Jun 25 '24 15:06 ibreakthecloud

Thank you for the quick response.

I think it is necessary to scan the layers as well and I am a bit shocked that this is not the normal behavior of the software. I could imagine that this could increase the security of many companies.

How should I open a feature request? Just create a new issue?

53845714nF avatar Jun 25 '24 23:06 53845714nF

It does scan all the layers in your docker images, and looks for secrets in all the files. It just not scans the env. Yes to open a feature-request, simply raise an issue with details

ibreakthecloud avatar Jun 26 '24 08:06 ibreakthecloud

I have created a new issue.

53845714nF avatar Jul 08 '24 17:07 53845714nF