Skip to main content
Skip table of contents

Container Image Secrets in Mend Container

Overview

Secrets are any kind of sensitive or private data that gives authorized users permission to access your IT infrastructure. These include keys and credentials such as SSH keys and certificates, TLS keys, encryption keys, API keys, database credentials, and more.

Secrets should be kept strictly private as attackers can easily find and use them to access and control the assets they are meant to protect. Developers may leave hard-coded secrets in container images, especially during rapid development and deployment cycles, thereby putting your organization and infrastructure at risk.

The Mend CLI scans your images to find any secrets that have been left behind.

Note: This article specifically covers the usage and support of the Mend CLI’s OS license detection feature. For general information on the Container Image engine of the Mend CLI, check out these articles:

Use cases for identifying container image secrets with the Mend CLI

  • As an AppSec Manager, your organization must comply with various security policies and regulations that require sensitive data to be protected at all times. If secrets are exposed in container images, the organization could face penalties and reputational damage.

  • As a DevOps Engineer, you are responsible for managing the company's internal tools and services. You create a container image that includes credentials for an internal system. If this image is leaked or compromised, an attacker could gain unauthorized access to the system.

Mend’s Answer: By implementing Mend CLI’s secret detection for your container images, you can ensure that any exposed secrets are identified and resolved before deployment.

Getting it done

Prerequisites before identifying container image secrets with the Mend CLI

The following prerequisites are required before running a Mend CLI Container Image scan:

  1. Download the Mend CLI

  2. Authenticate your login for the Mend CLI

Run the Mend CLI to identify your container image secrets

Secret detection is enabled by default. To initiate the Mend CLI Container Image scan, run the following command:

CODE
mend image <image_name[:image_tag]>

View the secrets detected by the Mend CLI Container Image scan

Console results

The Mend CLI Container Image scan outputs a summary of the detected secrets ordered by their severity. To display the secrets in the terminal output, add --show=secret to the CLI command.

Example command: mend image <image_name[:image_tag]> --show=secret

Example output:

Field

Description

Category

The Secret Category, for example: Cloud Provider, SaaS Provider, etc.

Severity

The Secret Severity Level. The supported values are:

  • Critical

  • High

  • Medium

  • Low

Description

A description and the type of secret

Layer Number

The layer in which this secret was found

File Path

The full path and name of the file in which the secret was found.

Start Line

The line in the file in which the secret is located

End Line

The line in the file in which the secret ends

Secrets in the Mend Platform User Interface

Within the Mend Platform, you can review each Mend CLI scan’s summary, details, and more. For more information on how to navigate through your Container Image scan results in the Mend Platform, visit the Review Top Risky Container Image Scan Results page.

image-20240312-120315.png

Reference

Mend CLI-supported file types for secret detection

  • The Mend CLI scans all text-based files, including .json, .pem, .private, .txt (including Linux text files without a suffix), .yaml and more.

  • The Mend CLI scans native code files like .go, .js, .py etc.

Mend CLI-supported formats for secret detection

Format

Details

Alibaba keys

  • Access

  • Secret

AWS Access Key ID

N/A

AWS Secret Access Key

N/A

Azure Storage Account Key

N/A

GitHub tokens

  • Refresh

  • Access

  • App

  • OAuth

Package manager tokens

  • RubyGem API token

  • NPM access token

  • PyPI upload token

Private key

  • EC

  • RSA

SaaS Keys & tokens

lack, Shopify, Stripe, Twilio, Facebook, Twitter, Adobe, Asana, Atlassian, Databricks, Discord, Dropbox, Doppler, Dynatrace, Grafana, HashiCorp, HubSpot, and Intercom

SSH Key

  • EC

  • RSA

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.