Will It Vibe logoWill It Vibe?
DOCKER-031Medium severity-8 points

Hardcoded password on a RUN command line

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A RUN command passes a literal password (a --password flag, PGPASSWORD/MYSQL_PWD, or a mysql -p value). The credential is stored in the image layer and process history. Heuristic.

Why it matters

A literal password on a RUN command line (a --password flag, PGPASSWORD/MYSQL_PWD, or mysql -p<value>) is stored in the image layer and visible in build logs and docker history. It also tends to be a real production or admin credential. This is a heuristic based on common password-flag patterns.

How to fix it

Do not put passwords in the Dockerfile. Read them from the environment or a BuildKit secret mount (RUN --mount=type=secret) at the moment they are needed, and never echo them. For database bootstrap, use the official image environment variables or an init step that reads a mounted secret. Rotate any password that was committed.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks