From de40718f01b5c3f9e6d66aeb7ef0cf14445d11bd Mon Sep 17 00:00:00 2001 From: otkd <7527203+otkd@users.noreply.github.com> Date: Wed, 31 Jan 2024 23:56:36 -0500 Subject: [PATCH] feat(Docker): add Docker Secrets rule - Following existing syntax adds Rule #13 covering Docker Secrets Signed-off-by: otkd <7527203+otkd@users.noreply.github.com> --- cheatsheets/Docker_Security_Cheat_Sheet.md | 27 +++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/cheatsheets/Docker_Security_Cheat_Sheet.md b/cheatsheets/Docker_Security_Cheat_Sheet.md index 287c044a88..178a8fe7d2 100644 --- a/cheatsheets/Docker_Security_Cheat_Sheet.md +++ b/cheatsheets/Docker_Security_Cheat_Sheet.md @@ -251,7 +251,7 @@ By default, the Docker daemon is configured to have a base logging level of 'inf To configure the log level in Docker Compose: ```bash -docker compose --log-level info up +docker compose --log-level info up -d ``` ### Rule \#11 - Lint the Dockerfile at build time @@ -285,6 +285,31 @@ Rootless mode graduated from experimental in Docker Engine v20.10 and should be Read more about rootless mode and its limitations, installation and usage instructions on [Docker documentation](https://docs.docker.com/engine/security/rootless/) page. +### RULE \#13 - Utilize Docker Secrets for Sensitive Data Management + +Docker Secrets provide a secure way to store and manage sensitive data such as passwords, tokens, and SSH keys. Using Docker Secrets helps in avoiding the exposure of sensitive data in container images or in runtime commands. + +```bash +docker secret create my_secret /path/to/super-secret-data.txt +docker service create --name web --secret my_secret nginx:latest +``` + +Or for Docker Compose: + +```yaml + version: "3.8" + secrets: + my_secret: + file: ./super-secret-data.txt + services: + web: + image: nginx:latest + secrets: + - my_secret +``` + +While Docker Secrets are generally, this approach is not recommended for Kubernetes, where secrets are stored in plaintext by default. In Kubernetes, consider using additional security measures such as etcd encryption, or third-party tools. Refer to the [Secrets Management Cheat Sheet](Secrets_Management_Cheat_Sheet.md) for more information. + ## References and Further Reading [OWASP Docker Top 10](https://github.com/OWASP/Docker-Security)