Skip to main content

CV-C008: Secrets in environment variables

Warning Security

Why This Matters

Storing secrets such as passwords, API keys, and tokens directly in environment variables within a Compose file exposes them in version control, process listings, container inspection output, and log files. Docker secrets or external .env files (excluded from version control) provide more secure alternatives.

How to Fix

Use Docker secrets or .env files (excluded from version control) instead of inline values

Before (incorrect)

services:
  web:
    environment:
      DB_PASSWORD: supersecret

After (correct)

services:
  web:
    secrets:
      - db_password
secrets:
  db_password:
    file: ./secrets/db_password.txt

Rule Details

Rule Code
CV-C008
Severity
Warning
Category
Security

Related Rules

CV-C001 Error

Privileged mode enabled
CV-C002 Error

Docker socket mounted
CV-C003 Error

Host network mode
CV-C004 Error

Host PID mode
CV-C005 Error

Host IPC mode