Will It Vibe logoWill It Vibe?
SECRET-041High severity-15 points

Docker registry auth in config.json

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

A Docker config.json embeds a base64 "auth" credential under "auths". It decodes to the registry username and password.

Why it matters

A Docker config.json under "auths" stores registry credentials as a base64 "auth" value that decodes directly to username:password. Committing it exposes push and pull access to your container registry. Anyone who reads the file can extract the credential.

How to fix it

Do not commit Docker config.json with auth entries. Use short-lived registry login at build time (docker login with a CI secret) or a credential helper, and add config.json to .gitignore. Rotate the exposed registry credential.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks