Scanning for Secrets in Docker Images: A Deep Dive

We analyzed 10,000 public Docker Hub images and found credentials in 14% of them.

Docker images are a rich source of leaked secrets. Container layers preserve every file ever added, even if deleted in a later layer. We scanned 10,000 of the most-pulled public Docker Hub images using TruffleHog and found hardcoded credentials in 1,412 of them — AWS keys, database passwords, API tokens, and private certificates. This post walks through the methodology, common patterns we found, and how to scan your own images.