Skip to content

Add CKV_DOCKER_1005: Detect secrets and private keys in ENV/ARG Docker instructions #7342

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add CKV_DOCKER_1005: Detect secrets and private keys in ENV/ARG Docker instructions #7342

wants to merge 3 commits into from

Conversation

@srija1102
Copy link

🧾 Pull Request

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

🧠 Description

This pull request introduces a new Dockerfile security check CKV_DOCKER_1005,
titled “Ensure no secrets or private keys are stored in ENV or ARG instructions.”

This enhancement improves Checkov’s Dockerfile scanning capabilities by identifying hardcoded secrets and credentials that appear within ENV or ARG instructions. Such secrets can be unintentionally exposed through:

  • Docker image layers (viewable via docker history)
  • Source control commits
  • Build logs in CI/CD systems
  • Public container registries (Docker Hub, ECR, GCR)

By flagging these vulnerabilities early, this check helps teams strengthen their DevSecOps posture and adhere to secure build practices.

🪲 Fixes

Fixes: N/A (new feature addition — introduces a new policy check)

🔒 New/Edited Policies

Policy Overview

Field Value
Policy ID CKV_DOCKER_1005
Type Dockerfile Check
Category Secrets
Severity High
Purpose Detect secrets, credentials, and private keys in ENV and ARG instructions

This check parses each Dockerfile instruction and inspects its value for known secret patterns, API tokens, or private key headers.
It ensures that sensitive credentials are not embedded in Docker images, where they can be leaked during build or distribution.

Patterns Detected

  • Generic credentials: key=, token=, secret=, password=, pwd=, auth=, credential=
  • AWS access keys: AKIA... and ASIA...
  • GitHub Personal Access Tokens: ghp_...
  • JWT tokens: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
  • Slack/Discord tokens: xoxb-, xoxa-, xoxp-
  • Private keys: -----BEGIN PRIVATE KEY-----
  • Common service variables: API_KEY, ACCESS_TOKEN, CLIENT_SECRET

Each match is reported with full metadata including instruction type (ENV/ARG), file path, and line numbers.

🛠 Remediation

1️⃣ Docker BuildKit Secrets

Leverage Docker’s built-in secret mounting to securely inject secrets at build time.

dockerfile

❌ Insecure

ENV API_KEY=abcd1234

✅ Secure

RUN --mount=type=secret,id=my_api_key
export API_KEY=$(cat /run/secrets/my_api_key)
📘 Reference: Docker BuildKit Secrets Documentation```

##2️⃣ Use External Secret Managers

  • Integrate with centralized secret management solutions:
  • AWS Secrets Manager
  • HashiCorp Vault
  • Kubernetes Secrets

This ensures secrets are stored and retrieved securely without ever embedding them into Docker images.

##3️⃣ Inject Secrets at Runtime

  • Use secure environment injection through CI/CD platforms such as:
  • GitHub Actions Secrets
  • Jenkins Credentials Plugin
  • GitLab CI/CD Variables

These methods prevent secrets from being cached or versioned in Docker layers or repositories.

⚙️ Technical Details of Implementation

File: checkov/dockerfile/checks/SecretsInEnvArg.py

  • Subclassed BaseDockerfileCheck
  • Supported instructions: ["ENV", "ARG"]
  • Implemented scan_resource_conf() to parse Dockerfile instructions
  • Added regex-based secret keyword matching on instruction values
  • Returns:
    • CheckResult.FAILED → when secret-like patterns are detected
    • CheckResult.PASSED → when all values are safe

File: checkov/dockerfile/checks/SecretsInEnvArg.yaml

  • Defines check metadata including:
    • id, name, category, severity, and remediation

Tests: tests/dockerfile/checks/graph_checks/SecretsInEnvArg/

  • Dockerfile.pass → safe, clean Dockerfile
  • Dockerfile.fail → includes API keys and tokens
  • Dockerfile.privatekey.fail → includes a private key string
  • test_SecretsInEnvArg.py → validates all cases and verifies fail/pass logic

🧪 Test Results

CLI Verification

bash
checkov --framework dockerfile --check CKV_DOCKER_1005 -d tests/dockerfile/checks/graph_checks/SecretsInEnvArg --compact

Output:

dockerfile scan results:

Passed checks: 1, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_1005: "Ensure no secrets or private keys are stored in ENV or ARG instructions"
PASSED for resource: /Dockerfile.pass.
FAILED for resource: /Dockerfile.privatekey.fail.ENV
FAILED for resource: /Dockerfile.fail.ARG

2️⃣ Pytest Validation
pytest tests/dockerfile/checks/graph_checks/SecretsInEnvArg/test_SecretsInEnvArg.py -v

##✅ Results:

Both secret detection and private key exposure tests pass successfully.

✅ Checklist

  • I have performed a self-review of my own code
  • I have commented my code where necessary for clarity
  • I have added the YAML metadata file describing severity and remediation
  • I have added comprehensive tests validating detection behavior
  • All existing and new tests pass locally with my changes

##🧩 Impact

This new policy significantly strengthens Dockerfile scanning by detecting both generic credentials and private keys, bridging a key security gap in image build pipelines. It empowers developers to identify misconfigurations early and adopt secure build practices in alignment with modern DevSecOps standards.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@srija1102