Challenge 4 ☆☆

Welcome to challenge 4. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Docker arg based password

The developer got smarter: now the password is no longer defined by Spring, but by means of a docker container build argument.

You can easily spot it by looking at how the layers got constructed.

Answer to solution :

Why using containers to put secrets in is a bad idea

As you can tell by now, you can easily detect any secret that stored within a container. Whether it is an ENV, a file, or another property: if a system can read it, so can a human.

Given it is a best practice to let a container be immutable and versioned, you will often end up with the secret within a container forever, unless you remove it again from the registry.