iac/dockerfile/dockerfile-secret-in-env

Secret baked into ENV layer

highDockerfileiac-dockerfile

What it detects

Values like API_KEY, TOKEN, PASSWORD, SECRET passed via ENV are stored in the image layer history and readable by anyone who pulls the image.

Pass via runtime env or use BuildKit secrets (`RUN --mount=type=secret,id=foo cat /run/secrets/foo`).

Run against Dockerfiles detected by path or basename. Line-based checks with remediation guidance.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.