Prisma Cloud can detect sensitive information that is improperly secured inside images and containers. Scans can detect embedded passwords, login tokens, and other types of secrets. To detect improperly secured secrets, add the following checks to your compliance policy.
This check detects sensitive information provided in environment variables of image.
The data so provided can be easily exposed by running
docker inspect on the image and thus compromising privacy.
$ docker --tlsverify -H :9998 build -t secret:v1 .
Sending build context to Docker daemon 2.048 kB Step 1/2 : FROM alpine:latest ---> 88e169ea8f46 Step 2/2 : ENV PASSWORD = secret ---> Using cache ---> 8f3627bc339b Error: [Prisma Cloud] Image operation blocked by policy: (No secrets attached), violates: The environment variable PASSWORD contains sensitive data
This check detects private keys stored in an image.
Navigate to Defend > Compliance. Add a new compliance rule to block running an image with private key in it.
$ docker --tlsverify -H aqsa.c.cto-sandbox.internal:9998 build -t aqsa:secretv1
Sending build context to Docker daemon 5.632 kB Step 1/2 : FROM alpine:latest ---> 88e169ea8f46 Step 2/2 : ADD private_key /root/.ssh/id_rsa ---> Using cache ---> c6e8e2496663 Error: [Prisma Cloud] Image operation blocked by policy: (No secrets attached), violates: Private keys stored in image /root/.ssh/id_rsa
Set the action to ALERT instead of BLOCK, then go to Monitor > Compliance after running the image. Click on the image under Images tab.