docker-secrets.mdc

---
description: Flag hardcoded passwords, tokens, and registry credentials in Docker configurations. Suggest environment variables or Docker secrets.
alwaysApply: true
standards-version: 1.6.3
---

# Docker Secrets and Credential Safety

## Patterns to Flag

### Hardcoded Credentials
- Passwords, tokens, or API keys directly in Dockerfiles (`ENV PASSWORD=`, `ARG SECRET=`)
- Hardcoded credentials in docker-compose.yml environment sections
- Registry passwords in plain text (`docker login --password`)
- Database connection strings with embedded passwords
- AWS, GCP, or Azure credentials in Docker configs

### Dangerous Commands
- `docker login --password` or `docker login -p` in scripts or CI configs - use `--password-stdin` instead
- `COPY .env` in Dockerfiles - secrets should not be baked into images
- `ENV` instructions containing keys, tokens, or passwords
- `ARG` instructions for secrets that persist in image layer history

### Configuration Files
- `.env` files committed with actual credential values
- `config.json` or `daemon.json` with registry auth tokens in plain text
- Docker Swarm secrets stored as plain text files

## What to Do

- Use environment variables passed at runtime (`docker run -e`, compose `environment:` with variable substitution)
- Use Docker secrets for Swarm deployments (`docker secret create`)
- Use BuildKit secret mounts for build-time secrets (`--mount=type=secret`)
- Use credential helpers for registry authentication (`docker-credential-*`)
- Reference `.env` files via `env_file:` in compose instead of hardcoding values
- Use `--password-stdin` for `docker login` commands

## Examples

Flagged:
```dockerfile
ENV DB_PASSWORD=mysecretpassword
ARG GITHUB_TOKEN=ghp_xxxxxxxxxxxx
```

Correct:
```dockerfile
# Pass at runtime: docker run -e DB_PASSWORD
ENV DB_PASSWORD=""
# Use BuildKit secrets: docker build --secret id=github_token,src=./token.txt
RUN --mount=type=secret,id=github_token cat /run/secrets/github_token
```