How to Scan Container Image Layers for Secrets in CI
A secret COPYed then deleted still lives in an earlier layer; scanning the built image inspects every layer.
Run trivy image --scanners secret against the image you built. Trivy unpacks each layer and reports secrets, which a source scan of the Dockerfile alone would miss.
Steps
- Build the image in CI and tag it.
- Run
trivy image --scanners secret <tag>. - Fail the build on findings with
--exit-code 1.
Workflow
.github/workflows/ci.yml
jobs:
image-secret-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: docker build -t app:ci .
- name: Scan image layers
run: |
trivy image --scanners secret --exit-code 1 app:ciGotchas
- Deleting a file in a later layer does not remove it from the earlier layer that copied it.
- Use multi-stage builds so build-time secrets never reach the final image.
Related guides
How to Scan CI Build Logs for Leaked SecretsCatch secrets that leak into CI build logs by masking known values and scanning captured log output, so a pri…
How to Scan the Working Tree With TruffleHog filesystem in CIUse the TruffleHog filesystem source to scan the checked-out working tree for secrets in CI, catching credent…