Skip to main content
Detects hardcoded secrets, API keys, and credentials using gitleaks patterns.

Description

Scans Dockerfile content for actual secret values (not just variable names):
  • RUN commands and heredocs
  • COPY/ADD heredocs
  • ENV values
  • ARG default values
  • LABEL values
Uses gitleaks’ curated database of 222+ secret patterns including AWS keys, GitHub tokens, private keys, and more.

Complements BuildKit

Complements buildkit/SecretsUsedInArgOrEnv: BuildKit’s rule checks variable names (e.g., GITHUB_TOKEN), while this rule detects actual secret values.

Examples

Bad

Good

Configuration