How does Qualys TotalCloud prevent secret leaks for Containers?  

Kong Yew Chan

Last updated on: October 19, 2023

This blog post introduces new product capabilities to help prevent container secret leaks. Discover how Qualys TotalCloud can provide a unified view of secrets-related risks. 

Why is Secret Detection Needed for Container Security? 

A recent study by researchers at the RWTH Aachen University in Germany found that 8.5% of container images hosted on Docker Hub contain confidential secrets. The study found 52,107 valid private keys and 3,158 distinct API secrets in 28,621 Docker images.

This means attackers can access sensitive data simply by downloading and running these images. Once an attacker has access to these secrets, they can launch a variety of attacks, such as: 

  • Man-in-the-middle attacks: Attackers could impersonate legitimate devices, intercept communications, or steal data. 
  • Ransomware or crypto mining attacks: Attackers could launch ransomware attacks or mine cryptocurrency for their benefits. 
  • Fraud: Attackers could steal money from accounts or make unauthorized purchases. 

Secret Detection is a critical and required feature for container security because many container images contain confidential secrets, which attackers can exploit to launch different kinds of attacks, primarily those mentioned above.

New Secret Detection Feature Helps Prevent Data Leakages

Secrets are sensitive data that should be protected, such as Access tokens, API keys, and encryption keys. When secrets are leaked, attackers can use them to gain unauthorized access to systems and data. It is critical to prevent these container images from being deployed in the production environment and protect the potential data leakage risks. 

This secret detection feature uses different techniques to identify secrets in container images: 

  • Scanning for known patterns of secrets, such as regex 
  • Identifying files that are commonly used to store secrets 
  • Provide out-of-box secret detection rules that detect the most famous secrets widely used by container developers 

Typically, secrets are accidentally included in the container images during the build process. Scanning those images in CI/CD pipelines and container registries is essential to preventing these accidental secret leaks. 

How do we use context-based prioritization for remediation? 

When a secret is detected within an image, you can prioritize the image based on the severity of the secret, the environment in which the image is being used, and the business impact of a data breach. You can also use Container Security APIs to be notified about these security risks and to automate the remediation process. 

Figure 1: Images with detected secret severities 
Figure 2: Widgets with detected secret severity 

You can create dashboards with custom widgets to view the prioritized risks across multiple images with secrets, so you can easily prioritize images to be remediated. For example, users can create individual widgets to show different images with severity. 

Benefits of Secret Detection for Containers 

The secret detection feature offers numerous benefits that are listed below: 

  • Helps identify and mitigate the risk of sensitive data being exposed in containerized environments 
  • Uses a variety of techniques to identify secrets, making it more difficult for attackers to evade detection 
  • Is easy to use and deploy 

What are the default Secret Detection rules? 

Qualys TotalCloud provides out-of-the-box (OOTB) secret detector rules so the secret detection features can effectively detect the common secret types used by container images. Currently, those secret detector rules are enabled by default, so it is easy to use the feature. 

Figure 3: Secret Detectors displayed under “Configurations” 

During troubleshooting scenarios, users want to know the details of a specific secret detector. For example, users can determine whether the rule effectively detects the known secret by reviewing the specific regex, as shown in Figure 4 below. 

Figure 4: Secret Detector Details for “AWS Secret Access Key” 

How to Get Started with Secret Detection for Containers 

To get started with this secret detection, you can follow the instructions below :   

  • Install Qualys Container Security sensor 1.26 or later 
  • Enable the secret detection feature argument “–perform-secret-detection” 

Once the secret detection feature is enabled in the sensor arguments, you can configure registry sensors to scan images across multiple container registries. Qualys Container Security will show the images found with secrets whenever secrets are detected during the scanning process. You can prioritize those images with detected secrets by selecting secret severity. In this release, each secret detector is preconfigured to trigger default severity, so you can filter those rules based on severity. For more details, you can read more details about Secret Detection documentation. 

Try Qualys TotalCloud Container Security today 

Get a free trial of Qualys TotalCloud Container Security and see how it can help you protect your sensitive data and prevent data leakage in your containerized environments.

 Get more details about Qualys TotalCloud Container Security

Share your Comments


Your email address will not be published. Required fields are marked *