NOTE: This project is heavily inspired and adapted from gitleaks so be sure to check that out if you haven't already
Dockerleaks is a command-line tool designed to uncover secrets within Docker images. Secrets, which can include API keys, passwords, and access tokens, pose potential security risks if left exposed. Dockerleaks will comb through Docker images to help identify these secrets.
You can scan Docker images either located in a remote registry or stored locally. It uses different methods to investigate environment variables and build arguments, which are common places where secrets might inadvertently be embedded during image creation. Furthermore, dockerSecrets can dig deep into the filesystem within a Docker image, scanning through files for potential secret leaks.
By using this tool, you can ensure that your Docker images maintain their integrity, adhering to the best practices of sensitive information management. It's a valuable addition to any security-conscious developer or organization's toolset, assisting in preventing unauthorized access to critical services, databases, and other resources.
© 2023 Bryce Thuilot. Dockerleaks is an open-source project and comes with ABSOLUTELY NO WARRANTY. It is free software, and you are welcome to redistribute it under specific conditions.
brew install bthuilot/tap/dockerleaks
Navigate to the Releases tab to download the compile binary for your specific platform.
Be sure to then add it to your shell's PATH
git clone github.com/bthuilot/dockerleaks && cd dockerleaks
go build -o dockerleaks .
# add dockerleaks to your PATH or execute via ./dockerleaks
A docker image containing the script is distributed via thuilot/dockerleaks
. To run via docker be sure to mount
the docker socket into the container such that the binary can connect to the daemon to perform scans, an example
is shown below.
docker run -it -v /var/run/docker.sock:/var/run/docker.sock -v ./dockerleaks.yml:/app/dockerleaks.yml ghcr.io/bthuilot/dockerleaks:[LATEST VERSION] analyze static -p -i [IMAGE TO SCAN]
The tool can be used to scan both remote and local built docker images.
For example, to static analyze a remote image named my-image
, you could use the following command:
dockerleaks analyze static -i my-image:latest -p
This command would pull my-image:latest
from its remote source and scan it for leaked secrets.
The application can be configured via a file named dockerleaks.yml
located in the same directory the
tool is run from, the directory $HOME/.dockerleaks
, or the folder /etc/dockerleaks
.
Checkout the file dockerleaks.example.yml
located in the root of this
repository for more information