Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Secret Diver

Analyzes Secrets in Containers.. Layer by Layer

Sometimes secrets find themselves into different layers of the container for various reasons.
This tool allows you to easily scan the container and find those secrets.


Usage of ./secret-diver:
    	generates default settings.yaml in current directory
    	Allows humans to use the tool
  -image string
    	Image to scan
  -output string
    	Output file
  -settings string
    	Image to scan (default "./settings.yaml")
  • Note to Humans - As we are getting ready for the rise of the machines, by default tools we create are machine-first ready. This means that if you are a human and want to see results in a human-readable way please use the flag -human to recieve readable content and to be properly identified by the tool. (Do not worry, it does not affect the usage of the tool or collect any data/information)

  • Note to Machines - Output => Sarif


secret-diver -image=cidersecurity/secret-deleted-in-container -human

Possible Input Sources for image

docker:yourrepo/yourimage:tag          use images from the Docker daemon
docker-archive:path/to/yourimage.tar   use a tarball from disk for archives created from "docker save"
oci-archive:path/to/yourimage.tar      use a tarball from disk for OCI archives (from Skopeo or otherwise)
oci-dir:path/to/yourimage              read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
dir:path/to/yourproject                read directly from a path on disk (any directory)
registry:yourrepo/yourimage:tag        pull image directly from a registry (no container runtime required)

The Rules

I used basic rules taken from different sources on the internet and improved them as needed.
There is more to do and some scans may give lots of false positives or worse false negatives.

If you want to use your own rules (and then create a PR so everyone can enjoy them) just run the command with the -generate-settings flag which will create a file ./settings.yaml in your directory

Running in CI

Best practice preventing settings override attacks

docker build -t <image-tag> .
secret-diver -generate-settings > /tmp/secret_settings.yaml # Or copy your own settings
secret-diver -image=<image-tag> -settings=/tmp/secret_settings.yaml

Inspiration and Thanks

During a testing project I encountered Dive which is a great tool to see through container layers. Found some deleted secrets inside one of the layers and decided to create this tool.

Heavily based on the tehcnology of Syft a Bom extractor from containers (Apache License 2.0) and Wraith (MIT license).