✦ For everyone, free.

Practical knowledge for real and everyday life

Home

9.3.4.5 Environment Secret Exposure

A focused guide to Environment Secret Exposure, connecting core concepts with practical Docker and container operations.

Environment secret exposure refers to the various ways a sensitive value passed through an ordinary environment variable can become unintentionally visible, a risk that motivates preferring Compose's dedicated secrets mechanism for genuinely sensitive configuration.

How Environment Variables Can Be Inadvertently Exposed

A process's environment variables are visible to anyone who can inspect that process, can appear in crash dumps or core files, and are sometimes inadvertently captured in application logs during startup or error handling.

docker exec myapp env

Anyone with sufficient access to run a command like this against a running container can see every environment variable that container has, including any that hold sensitive values.

A Concrete Example of Accidental Logging Exposure

An application that logs its full configuration at startup for debugging purposes might inadvertently include sensitive environment variable values in that log output.

import os
print(f"Starting with config: {dict(os.environ)}")

This pattern, if it includes sensitive variables, writes them directly into log output, potentially persisting them somewhere far less access-controlled than intended.

Why File-Based Secrets Reduce This Particular Risk

A secret provided as a mounted file, rather than an environment variable, is less likely to be swept up by this kind of broad, inadvertent logging or inspection, since it requires deliberately reading a specific file path rather than being passed along automatically with the process's environment.

services:
  api:
    secrets:
      - db-password

secrets:
  db-password:
    file: ./secrets/db-password.txt
Auditing for This Kind of Accidental Exposure

Reviewing application logging code and configuration-dumping behavior for any inadvertent inclusion of sensitive environment variables is a worthwhile check, particularly for code that broadly logs its full configuration.

grep -r "os.environ" --include="*.py" .
Why Environment Secret Exposure Matters

Understanding these specific exposure risks reinforces why genuinely sensitive values are better handled through a more careful mechanism like Compose's secrets, rather than the comparatively more exposed pathway ordinary environment variables represent.

Related content