Secrets Detection

Container secrets are digital credentials providing identity authentication and authorizing access to privileged accounts, applications, and services. They can include passwords, API keys, and other credentials that are needed for applications to function properly.

If these secrets are not properly secured, they can be accessed by unauthorized users, leading to malicious attacks. Therefore, discovering secrets is one of the important aspects of container security that organizations must prioritize to protect their sensitive data, meet compliance requirements, and reduce the risk of security incidents.

Container Security Sensor can detect secrets for container images enabling you to mitigate potential security risks associated with the accidental or intentional exposure of secrets within containers.

To enable secret detection, you need to use the --perform-secret-detection parameter.

Secret detection involves scanning the filesystem. It does not detect secrets that are stored as environment variables or passed as arguments within the image. Therefore, the performance of secret detection depends on the number of files present in the image.

For optimal performance in secret detection, it is recommended to allocate a higher CPU count to the sensor container. Ensure that at least two CPUs of the host are specifically utilized for the sensor container.

For instance:

   - When using the InstallSensor.sh script, by default only 20% of the host's CPUs are utilized by the sensor container.

    - When using dockerrun, by default all CPUs of the host are fully utilized for the sensor container

Note: Secret detection is supported only on:

- Sensors: CICD and registry

- OS: Linux

- Runtimes: Docker, Containerd, and CRI-O

For more information about secret detection, see Online Help: Detect Container Secrets.