Skip to main content

PG001: Secrets detected in ENV or ARG

Error Security

Why This Matters

Hardcoded secrets in ENV or ARG instructions get baked into the image layers and are visible to anyone who can pull the image. Even if you delete them in a later layer, they remain in the build history. Leaked API keys, database passwords, and tokens can be extracted with a simple `docker history` or `docker inspect`. Use build-time secrets (--mount=type=secret) or runtime environment variables injected by your orchestrator instead.

How to Fix

Remove hardcoded secrets and use Docker build secrets or runtime injection

Before (incorrect)

ENV API_KEY=sk-1234567890abcdef

After (correct)

# Pass at runtime:
# docker run -e API_KEY=$API_KEY myimage
# Or use build secrets:
RUN --mount=type=secret,id=api_key cat /run/secrets/api_key

Rule Details

Rule Code
PG001
Severity
Error
Category
Security

Related Rules

DL3020 Error

Use COPY instead of ADD for files and folders
DL3004 Error

Do not use sudo
DL3061 Error

Dockerfile should start with FROM or ARG
PG002 Error

Avoid piping remote scripts to shell
DL3006 Warning

Always tag the version of an image explicitly