Skip to main content

PG003: Avoid copying sensitive files into the image

Warning Security

Why This Matters

Copying sensitive files like private keys, .env files, or credentials into a Docker image embeds them in the layer history. Even if you delete them in a later step, they can still be extracted from earlier layers. Anyone with access to the image can pull out your secrets. Use .dockerignore to exclude sensitive files, mount secrets at runtime, or use Docker build secrets (--mount=type=secret).

How to Fix

Add sensitive files to .dockerignore and use build secrets or runtime mounts

Before (incorrect)

COPY .env /app/.env
COPY id_rsa /root/.ssh/id_rsa

After (correct)

# Add to .dockerignore: .env, id_rsa
# Use build secret instead:
RUN --mount=type=secret,id=env,target=/app/.env cat /app/.env

Rule Details

Rule Code
PG003
Severity
Warning
Category
Security

Related Rules

DL3020 Error

Use COPY instead of ADD for files and folders
DL3004 Error

Do not use sudo
DL3061 Error

Dockerfile should start with FROM or ARG
PG001 Error

Secrets detected in ENV or ARG
PG002 Error

Avoid piping remote scripts to shell