Docker security

Docker registry : Leaking sensitive information

Docker containers are building blocks for applications. Each container is an image with a readable/writeable layer on top of a bunch of read-only layers. These layers (also called intermediate images) are generated when the commands in the Dockerfile are executed one by one during the Docker image build.

Sometimes, when building an application inside a Docker image, you need secrets such as an SSH private key to pull code from a private repository, or you need tokens to install private packages. If you copy them into the Docker intermediate container they are cached on the layer to which they were added, even if you delete them later on.

In the following video, an attacker acheive to get a hidden sensitive information ( represented by a "flag" ) from layers of a docker image that hasn't cleaned up propely.