Hardcoded password on a RUN command line
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A RUN command passes a literal password (a --password flag, PGPASSWORD/MYSQL_PWD, or a mysql -p value). The credential is stored in the image layer and process history. Heuristic.
Why it matters
A literal password on a RUN command line (a --password flag, PGPASSWORD/MYSQL_PWD, or mysql -p<value>) is stored in the image layer and visible in build logs and docker history. It also tends to be a real production or admin credential. This is a heuristic based on common password-flag patterns.
How to fix it
Do not put passwords in the Dockerfile. Read them from the environment or a BuildKit secret mount (RUN --mount=type=secret) at the moment they are needed, and never echo them. For database bootstrap, use the official image environment variables or an init step that reads a mounted secret. Rotate any password that was committed.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo