6.3.1.5 Environment Secret Risk
A focused guide to Environment Secret Risk, connecting core concepts with practical Docker and container operations.
Environment secret risk is the danger of passing genuinely sensitive values — passwords, API keys, tokens — as plain environment variables at container run time, since these values are visible to anyone who can inspect the container's configuration, regardless of how carefully the image itself was built.
Why Runtime Environment Variables Are Visible
Unlike a value baked into an image (which at least requires access to that specific image to discover), a runtime-supplied environment variable is visible to anyone with sufficient access to inspect the running container, including through straightforward inspection commands.
docker run -e DATABASE_PASSWORD=supersecret123 myapp:1.0
docker inspect myapp --format '{{json .Config.Env}}'
This command directly reveals the supplied secret to anyone with inspection access to the container.
Why Process Listings Can Also Expose Secrets
Some methods of supplying values — particularly through command-line arguments rather than environment variables — can be visible to anyone able to view the host's process listing, an even broader exposure than container inspection alone.
docker run myapp:1.0 --db-password=supersecret123
ps aux | grep myapp
Safer Alternatives for Genuinely Sensitive Values
Dedicated secrets management — Docker secrets (in Swarm), mounted secret files, or an external secrets manager integration — keeps sensitive values out of both the container's inspectable configuration and any process listing.
docker secret create db_password ./db_password.txt
docker service create --secret db_password myapp:1.0
docker run -v /run/secrets/db_password:/run/secrets/db_password:ro myapp:1.0
A mounted secret file, read directly by the application, avoids the broader exposure that comes with the value appearing in container configuration or a command line.
Why Environment Secret Risk Matters
Recognizing that runtime environment variables, while convenient, are visible to anyone with sufficient inspection access is essential for choosing an appropriately more secure mechanism for genuinely sensitive values, reserving plain environment variables for configuration that isn't actually sensitive.