Improper Usage of Orchestrator Secrets Volume
No violationsstackroxlowdeployAlert on deployments that use a Dockerfile with 'VOLUME /run/secrets'
- Rationale
- /run/secrets is a path for secrets that gets populated by the orchestrator. Volumes should not be used for secrets, and data mounts should have a separate mount path.
- Remediation
- Mount the volume to a different path. If secrets are stored in the volume, utilize the orchestrator secrets or your security team's secret management solution instead.
CategoriesDevOps Best Practices
Compliance mappingsView coverage →
- ISO/IEC 27001 2022
- A.8.25
- SOC 2 2017 TSC
- CC8.1
Generated artifacts
1 of 5 targets supportedimproper-usage-of-orchestrator-secrets-volume.rego
# Improper Usage of Orchestrator Secrets Volume (trivy)
# severity: low
# source: stackrox/e971db42-e8d4-4a1d-a30c-41142ba54d71
package trivy.improper_usage_of_orchestrator_secrets_volume
deny[msg] {
# rule 1
some inst
inst := input.Misconfigurations[_].Message
contains(inst, {"VOLUME=(?:(?:[,\[\s]?)|(?:.*[,\s]+))/run/secrets(?:$|[,\]\s]).*"}[_])
msg := "[low] Improper Usage of Orchestrator Secrets Volume: Alert on deployments that use a Dockerfile with 'VOLUME /run/secrets'"
}
IR (canonical)
{
"id": "e971db42-e8d4-4a1d-a30c-41142ba54d71",
"name": "Improper Usage of Orchestrator Secrets Volume",
"description": "Alert on deployments that use a Dockerfile with 'VOLUME /run/secrets'",
"rationale": "/run/secrets is a path for secrets that gets populated by the orchestrator. Volumes should not be used for secrets, and data mounts should have a separate mount path.",
"remediation": "Mount the volume to a different path. If secrets are stored in the volume, utilize the orchestrator secrets or your security team's secret management solution instead.",
"severity": "low",
"categories": [
"DevOps Best Practices"
],
"lifecycle": [
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "dockerfile-line",
"values": [
"VOLUME=(?:(?:[,\\[\\s]?)|(?:.*[,\\s]+))/run/secrets(?:$|[,\\]\\s]).*"
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "e971db42-e8d4-4a1d-a30c-41142ba54d71",
"name": "Improper Usage of Orchestrator Secrets Volume",
"description": "Alert on deployments that use a Dockerfile with 'VOLUME /run/secrets'",
"rationale": "/run/secrets is a path for secrets that gets populated by the orchestrator. Volumes should not be used for secrets, and data mounts should have a separate mount path.",
"remediation": "Mount the volume to a different path. If secrets are stored in the volume, utilize the orchestrator secrets or your security team's secret management solution instead.",
"disabled": false,
"categories": [
"DevOps Best Practices"
],
"lifecycleStages": [
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [],
"scope": [],
"severity": "LOW_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Dockerfile Line",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "VOLUME=(?:(?:[,\\[\\s]?)|(?:.*[,\\s]+))/run/secrets(?:$|[,\\]\\s]).*"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}