Reputation: 67
Is the project codebase of a Dockerhub public repository accessible by anyone?
I'm quite new to the concepts of containers and docker etc. Say I had a simple Angular Javascript application which makes an API call. If this application was an image on dockerhub, could somebody access the projects code? For example, if there was some sensitive information such as a subscription key in the headers, is it possible for anyone to intercept this key?
Upvotes: 1
Views: 252
Answers (3)
Reputation: 159875
On the one hand, anyone who can run a Docker image can see the entire filesystem contents of that image, and in fact they can pretty trivially take over the entire host system. So Docker won't help you protect, for example, third-party API keys.
On the other hand, an Angular application will intrinsically be transferred across the network and run in the end user's browser. That means they will be able to look at the (minified) application source in the browser's debug tools, or just use a tool like curl to download the application themselves.
In this case, that means packaging the application in Docker doesn't really change the security posture of the application: as a browser-based application it's essentially public no matter how you package it on the server side.
Upvotes: 1
Reputation: 449
As the key is in plain text in the code basis, the key will be accessible through a running container. While building a docker image, aou will copy the files to the image. After someone has started the docker image as a container, he can access the code via an interactive session.
To overcome this problem, you can add the key as an environmental variable. Either by using ˋdocker run -eˋ or ˋdocker run --env-fileˋ. In that way you can specify the key when starting the container, so a changed key does not require to rebuild the entire image and no one can see your key accessing the open image on a hub.
Upvotes: 1
Reputation: 91
Very likely it will be available. However you can use a .dockerignore file.
Place a file with the key somewhere in your project and load it in the code, then add that file to the dockerignore and you will be able to use it safely.
The issue with this approach is that you will need to manually readd the file with the key in every pod.
Upvotes: 1
Related Questions
- Use private npm repo in Docker
- Can a random person visiting a docker-app hosted online access the source code?
- Do I need to share the docker image if I can just share the docker file along with the source code?
- Would an API key be exposed through a private docker container image on DockerHub?
- dockerhub automated builds - broad github permissions required?
- How to build docker images with app code from private git repositories?
- DockerHub + GitHub with a team
- Is it possible to have a private/internal docker repository?
- docker build on a private git repo containing the Dockerfile?
- Will my private github repo code become public if I use Docker automated build?