Back to catalog

Improper Usage of Orchestrator Secrets Volume

No violationsstackroxlowdeploy

Alert on deployments that use a Dockerfile with 'VOLUME /run/secrets'

Rationale
/run/secrets is a path for secrets that gets populated by the orchestrator. Volumes should not be used for secrets, and data mounts should have a separate mount path.
Remediation
Mount the volume to a different path. If secrets are stored in the volume, utilize the orchestrator secrets or your security team's secret management solution instead.
CategoriesDevOps Best Practices
Compliance mappingsView coverage →
ISO/IEC 27001 2022
A.8.25
SOC 2 2017 TSC
CC8.1

Generated artifacts

1 of 5 targets supported
improper-usage-of-orchestrator-secrets-volume.rego
# Improper Usage of Orchestrator Secrets Volume (trivy)
# severity: low
# source: stackrox/e971db42-e8d4-4a1d-a30c-41142ba54d71
package trivy.improper_usage_of_orchestrator_secrets_volume

deny[msg] {
  # rule 1
  some inst
  inst := input.Misconfigurations[_].Message
  contains(inst, {"VOLUME=(?:(?:[,\[\s]?)|(?:.*[,\s]+))/run/secrets(?:$|[,\]\s]).*"}[_])
  msg := "[low] Improper Usage of Orchestrator Secrets Volume: Alert on deployments that use a Dockerfile with 'VOLUME /run/secrets'"
}
IR (canonical)
{
  "id": "e971db42-e8d4-4a1d-a30c-41142ba54d71",
  "name": "Improper Usage of Orchestrator Secrets Volume",
  "description": "Alert on deployments that use a Dockerfile with 'VOLUME /run/secrets'",
  "rationale": "/run/secrets is a path for secrets that gets populated by the orchestrator. Volumes should not be used for secrets, and data mounts should have a separate mount path.",
  "remediation": "Mount the volume to a different path. If secrets are stored in the volume, utilize the orchestrator secrets or your security team's secret management solution instead.",
  "severity": "low",
  "categories": [
    "DevOps Best Practices"
  ],
  "lifecycle": [
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "dockerfile-line",
    "values": [
      "VOLUME=(?:(?:[,\\[\\s]?)|(?:.*[,\\s]+))/run/secrets(?:$|[,\\]\\s]).*"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "e971db42-e8d4-4a1d-a30c-41142ba54d71",
  "name": "Improper Usage of Orchestrator Secrets Volume",
  "description": "Alert on deployments that use a Dockerfile with 'VOLUME /run/secrets'",
  "rationale": "/run/secrets is a path for secrets that gets populated by the orchestrator. Volumes should not be used for secrets, and data mounts should have a separate mount path.",
  "remediation": "Mount the volume to a different path. If secrets are stored in the volume, utilize the orchestrator secrets or your security team's secret management solution instead.",
  "disabled": false,
  "categories": [
    "DevOps Best Practices"
  ],
  "lifecycleStages": [
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [],
  "scope": [],
  "severity": "LOW_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Dockerfile Line",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "VOLUME=(?:(?:[,\\[\\s]?)|(?:.*[,\\s]+))/run/secrets(?:$|[,\\]\\s]).*"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}