Hardcoded secret in ENV/ARG
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A secret-looking ENV or ARG is assigned a literal value, which is baked into an image layer and visible to anyone who can pull the image or read docker history.
Why it matters
A secret written as a literal ENV or ARG value is baked into an image layer. Anyone who can pull the image or run docker history can read it, and ENV values are also visible to every process in the running container. Rebuilding without the secret does not remove it from already-built images.
How to fix it
Do not put secrets in the Dockerfile. Pass them at runtime via the orchestrator secret store or docker run --env-file, or at build time with BuildKit secret mounts (RUN --mount=type=secret) which do not persist in layers. Then rotate the exposed secret, because it is compromised. For env-style config that is not secret, ENV is fine.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo