Password Env not found in Image

[53845714nF]

Hello, I build a small Python App with this Dockerfile:

FROM docker.io/library/python:3.8
ENV PYTHONDONTWRITEBYTECODE=1
ENV PYTHONUNBUFFERED=1

WORKDIR /app
COPY requirements.txt /app/
RUN pip install -r requirements.txt

ENV POSTGRES_HOST=database
ENV POSTGRES_USER=postgres
ENV POSTGRES_PASSWORD=postgres
ENV POSTGRES_DB=shopping_list

COPY . /app/

EXPOSE 8000
CMD ["gunicorn", "--bind", "0.0.0.0:8000", "app:app"]

Code and image are on Github: https://github.com/53845714nF/MarketMinder/

I use ThreatMapper with the SecretScanner:

They have found 17 secrets, but not one of this is the POSTGRES_PASSWORD. Are ENVs not checked? I have created the images according to OCI, could this be a problem?

[ibreakthecloud]

Hi @53845714nF OCI image is supported. Currently SecretScanner only scans for secrets and keys in the filesystem. Environment vars are not scanned. Feel free to raise a feature-request if that is needed someone might pickup.

[53845714nF]

Thank you for the quick response.

I think it is necessary to scan the layers as well and I am a bit shocked that this is not the normal behavior of the software. I could imagine that this could increase the security of many companies.

How should I open a feature request? Just create a new issue?

[ibreakthecloud]

It does scan all the layers in your docker images, and looks for secrets in all the files. It just not scans the env. Yes to open a feature-request, simply raise an issue with details

[53845714nF]

I have created a new issue.