Challenge 4 ☆☆

Welcome to challenge Challenge 4.

Docker arg based password

The developer got smarter: now the password is no longer defined by an ENV argument, but by means of a docker container build argument.

You can easily spot it by looking at how the layers got constructed.

💡 Tip: Secrets are often strings, numbers, or encoded values. Copy and paste exactly what you find.

Why using containers to put secrets in is a bad idea

As you can tell by now, you can easily detect any secret that stored within a container. Whether it is an ENV, a file, or another property: if a system can read it, so can a human.

Given it is a best practice to let a container be immutable and versioned, you will often end up with the secret within a container forever, unless you remove it again from the registry.


⬅️ Previous
🏠 Main Page
Next ➡️
0