✦ For everyone, free.

Practical knowledge for real and everyday life

Home

11.1.3.5 Exposed Secret Rotation

A focused guide to Exposed Secret Rotation, connecting core concepts with practical Docker and container operations.

Exposed secret rotation is the necessary remediation step once a secret is discovered to have been leaked into an image — whether through a layer, an ENV instruction, or a build argument — since simply removing the secret from future builds doesn't undo the exposure of the original, already-leaked value.

Why Removing a Leaked Secret From the Dockerfile Isn't Sufficient

Fixing a Dockerfile to stop embedding a secret prevents future builds from leaking it, but does nothing about the original value that was already exposed in previously built and possibly already-distributed images.

ENV API_KEY=secret123

RUN --mount=type=secret,id=api_key cat /run/secrets/api_key

Fixing the Dockerfile this way prevents the issue going forward, but the original secret123 value, having already been embedded in previously built images, remains exposed wherever those images exist.

Why the Actual Credential Must Be Rotated

Treating the originally leaked value as compromised, and rotating it to an entirely new value at its source — the actual service or system the credential grants access to — is the only way to actually neutralize the exposure.

aws iam create-access-key
aws iam delete-access-key --access-key-id <old-key-id>

This rotates the actual underlying credential, rendering the previously leaked value useless even if a copy of it persists somewhere from an old, already-distributed image.

Auditing for Where the Leaked Image Might Have Been Distributed

Understanding how widely a leaking image might have been pulled or distributed helps assess the scope of potential exposure and informs how urgently rotation needs to happen.

docker pull registry.example.com/myteam/myapp --all-tags
Removing or Replacing Already-Published Leaking Images

Where feasible, removing or replacing previously published images known to contain the leaked secret reduces ongoing exposure, though rotation of the actual credential remains the essential, non-optional step regardless.

docker rmi registry.example.com/myteam/myapp:1.0
Why Exposed Secret Rotation Matters

Fixing the build process alone is necessary but not sufficient once a secret has actually leaked — rotating the underlying credential is the essential step that actually neutralizes the exposure of whatever value was already leaked into existing images.

Related content