Challenge 3

Welcome to challenge 3. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Docker ENV based password

Did you know that you can use the ENV as well in Docker containers to set the password? What a great idea to share it with everyone!

You can easily spot the secret by looking at how the layers were constructed or detecting it with a tool like Dockle.

Answer to solution :

Why using containers to put secrets in is a bad idea

As you can tell by now, you can easily detect any secret that stored within a container. Whether it is an ENV, a file, or another property: if a system can read it, so can a human.

Given it is a best practice to let a container be immutable and versioned, you will often end up with the secret within a container forever, unless you remove it again from the registry.

Interesting ENV vars for you to have a look at can be found at this list.