Wednesday, December 17, 2025
Cloud Native Now

Cloud Native Now


MENUMENU
  • Home
  • Webinars
    • Upcoming
    • Calendar View
    • On-Demand
  • Podcasts
    • Cloud Native Now Podcast
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
  • About
  • Sponsor
MENUMENU
  • News
    • Latest News
    • News Releases
  • Cloud-Native Development
  • Cloud-Native Platforms
  • Cloud-Native Networking
  • Cloud-Native Security
Cloud-Native Development Cloud-Native Security Containers DevSecOps Docker Social - Facebook Social - LinkedIn Social - X 

Flare Finds 10,000 Docker Hub Images Exposing Secrets

December 16, 2025 Jeff Burt API, CI/CD security, cloud computing, container images, credentials, developers and containers, docker hub, exposed secrets, Flare Systems, passwords, shadow IT
by Jeff Burt

The security threats posed by inadvertently exposed secrets – think API keys, passwords, and tokens – have been known for at least a decade, dating back to the high-profile leak in 2016 involving Uber that let hackers steal data from 57 million users and drivers.

The hits have continued, with other incidents over the years affecting Microsoft, Capital One, Toyota, and others. Earlier this year, GitGuardian, in its State of Secrets Report 2025, found that 23.8 million secrets were leaked on public GitHub repositories last year, a year-over-year increase of 25%.

Techstrong Gang Youtube

“One exposed secret credential can undo years of security work in an instant,” wrote Joel Rose, senior product marketing manager at Checkmarx. “Hardcoded API keys, leaked credentials, and forgotten tokens have all led to some of the most significant breaches in recent history. For AppSec engineers and leaders, the message is clear: Detecting and managing secrets must be a fundamental part of your security strategy.”

Images Exposing Secrets

Now, researchers with cybersecurity firm Flare Systems found more than 10,000 images on Docker Hub exposing secrets – live API keys, cloud access tokens, and CI/CD secrets – from more than 100 organizations, including a Fortune 500 company and a major national bank. In a report this month, Flare cybersecurity researcher Assaf Morag wrote that 42% of the exposed images each contained fire or more secrets, “meaning a single container could unlock an entire cloud environment, CI/CD pipeline, and database.

AI secrets weren’t spared.

“AI LLM [large language model] model keys were the most frequently leaked credentials, with almost 4,000 exposed, revealing how fast AI adoption has outpaced security controls,” Morag wrote.

Hackers ‘Authenticate In’

Other significant findings from the report – all of which were collected during only a month of scanning in November – included that a large percentage of leaks came from shadow IT accounts via personal or contractor-owned registries that aren’t included in corporate monitoring operations, and while developers often removed leaked secrets from containers, 75% didn’t revoke or rotate the underlying keys. That left organizations exposed for months or years.

“The findings confirm a new attack paradigm,” Morag wrote. “Attackers don’t hack in – they authenticate in – using keys that companies accidentally publish themselves.”

He called the secrets the “connective tissue” of the digital supply chain that is critical to modern software development lifecycles (SDLCs), enabling authentication, automation, communications between services, and machine-to-machine trust for cloud providers, CI/CD pipelines, messaging platforms, and developer tools.

Essentially, everything in modern IT, from provisioning infrastructure to publishing artifacts, requires keys, tokens, and certificates. Accelerating the use of secrets are trends like microservices, serverless architectures, and federated development models, he wrote.

Secrets are Everywhere

That ubiquity is a problem.

“A single application can require dozens of API keys spanning vendors like AWS, GitHub, Slack, Stripe, GCP [Google Cloud Platform], and internal services,” Morag wrote. “Often, these credentials remain valid long after a developer has left the project or the organization. But while secrets are foundational to automation, they are also dangerously fragile. Their power often exceeds their visibility. Many organizations have thousands of active secrets that are never audited, scanned, rotated, or centrally managed.”

They’re strewn across various sources, from source code and config files to developer laptops, container images, and personal cloud accounts, and they can provide pathways for attacks that can get my protections such as multifactor authentication and perimeter defenses.

“In essence, secrets are both the lubricant of modern engineering and the Achilles heel of organizational security, as they are easy to use, easy to forget, and devastating if exposed,” he wrote.

30 Days of Scanning

Flare researchers scanned Docker Hub container images uploaded between November 1 and 30, identifying 10,456 containing one or more exposed keys. They then filed filtered out findings that were below “high” and “critical” severity, and still had 205 distinct namespaces on the repository. Analyzing those, they were able to put 101 of the namespaces to particular companies that ranged from SMBs to large enterprises.

“Interestingly, we found several cases where founders, contractors, freelancers, or employees were pushing container images from personal Docker Hub accounts, unintentionally exposing company secrets in the process,” Morag wrote.

They found that 28 of the identified 101 companies were in software development, with another 20 in the market and industrial space. Others ranged from AI and intelligence systems to financing and banking, business and consulting, and IT and infrastructure.

Developers and .env

One of the problems is that developers often use an “.env” file to store secrets – like database credentials, cloud access keys, tokens, and other authentication methods – during local development. In larger applications, such a file could hold dozens of secrets, he wrote.

“When the entire project directory is copied during the Docker build process, the ‘.env’ file is often included unintentionally, embedding all of its secrets directly into the container filesystem,” Morag wrote. “An even more dangerous scenario is when such an image is pushed, intentionally or not intentionally, to a public repository. This is why it is critical to scan and sanitize container images for secrets before publishing them, whether they are intended to be private or public.”

Another scenario comes when secrets are placed directly in a Dockerfile, which are also exposed through the image manifest and visible on Docker Hub.

The Threat of Shadow IT

As noted, shadow IT is also a problem. Corporate registries tend to be heavily monitored; accounts that fall outside of the corporate coverage – such as with contractors or other individuals. Flare noted one case in which secrets belonging to a Fortune 500 company were exposed via a personal public Docket Hub account, probably belonging to a contractor or employee.

“There were no visible identifiers linking the repository to the individual or to the organization, yet the container manifests contained highly sensitive credentials with access to multiple internal environments,” Morag wrote. “This case highlights a critical reality: organizations are increasingly at risk not through their official, monitored infrastructure, but through shadow and personal repositories that sit entirely outside corporate visibility, governance, and security controls.”

  • Click to share on X (Opens in new window) X
  • Click to share on Facebook (Opens in new window) Facebook
  • Click to share on LinkedIn (Opens in new window) LinkedIn
  • Click to share on Reddit (Opens in new window) Reddit

Related

  • ← Kubernetes Isn’t Getting Simpler—The Ecosystem Around It Is Getting Smarter

Techstrong TV

Click full-screen to enable volume control
Watch latest episodes and shows

Tech Field Day Events

UPCOMING WEBINARS

  • CloudNativeNow.com
  • DevOps.com
  • SecurityBoulevard.com
Secure AI Everywhere: From Edge to Container
18 December 2025
Secure AI Everywhere: From Edge to Container
From Firefighting to Foresight: How AI Is Redefining SRE & DevOps
21 January 2026
From Firefighting to Foresight: How AI Is Redefining SRE & DevOps
Can AI Lift Organizations Above the Cyber Poverty Line?
20 January 2026
Can AI Lift Organizations Above the Cyber Poverty Line?
Break Free From Jenkins: A Blueprint for Modernization
14 January 2026
Break Free From Jenkins: A Blueprint for Modernization
No items

Podcast


Listen to all of our podcasts

Press Releases

ThreatHunter.ai Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On

ThreatHunter.ai Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On

Deloitte Partners with Memcyco to Combat ATO and Other Online Attacks with Real-Time Digital Impersonation Protection Solutions

Deloitte Partners with Memcyco to Combat ATO and Other Online Attacks with Real-Time Digital Impersonation Protection Solutions

SUBSCRIBE TO CNN NEWSLETTER

MOST READ

vCluster Adds Virtual Kubernetes Reference Architecture for GPUs

November 25, 2025

Survey Surfaces Myriad Kubernetes Networking Challenges

November 17, 2025

Amazon EKS Capabilities Drive ‘Opinionated’ Workload Orchestration and Resource Management

December 3, 2025

What I’m Thankful for in Cloud Native This Year: A Community That Keeps Building the Future

November 25, 2025

Akamai Acquires Fermyon to Further Advance Wasm Adoption

December 2, 2025

RECENT POSTS

Flare Finds 10,000 Docker Hub Images Exposing Secrets
Cloud-Native Development Cloud-Native Security Containers DevSecOps Docker Social - Facebook Social - LinkedIn Social - X 

Flare Finds 10,000 Docker Hub Images Exposing Secrets

December 16, 2025 Jeff Burt 0
Kubernetes Isn’t Getting Simpler—The Ecosystem Around It Is Getting Smarter
Video Interviews 

Kubernetes Isn’t Getting Simpler—The Ecosystem Around It Is Getting Smarter

December 10, 2025 Alan Shimel 0
SUSE Allies with evroc for European Cloud Service Based on Kubernetes
Cloud-Native Platforms Features News Social - Facebook Social - LinkedIn Social - X 

SUSE Allies with evroc for European Cloud Service Based on Kubernetes

December 10, 2025 Mike Vizard 0
Solo Gets Stickier on Gloo Mesh for Amazon ECS
Cloud-Native Development Features Social - Facebook Social - LinkedIn Social - X Topics 

Solo Gets Stickier on Gloo Mesh for Amazon ECS

December 10, 2025 Adrian Bridgwater 0
AWS Lambda Managed Instances Offer Specialized Compute Configurations 
Cloud-Native Development Features Social - Facebook Social - LinkedIn Social - X Topics 

AWS Lambda Managed Instances Offer Specialized Compute Configurations 

December 10, 2025 Adrian Bridgwater 0
  • About
  • Media Kit
  • Sponsor Info
  • Write for Cloud Native Now
  • Copyright
  • TOS
  • Privacy Policy
Powered by Techstrong Group
Copyright © 2025 Techstrong Group, Inc. All rights reserved.
×

Step 1 of 6

16%
Which best describes your level of influence when it comes to cloud database purchase and/or maintenance in your organization?(Required)
Which best describes how you feel about the performance of the cloud database(s) that support your organization’s critical applications?(Required)
Which of the following describes the costs typically associated with your most important cloud database(s)?(Required)
Which factors have typically driven up your database costs?(Required)
What has or have typically been the greatest limiting factor(s) to improving cloud database performance at your organization?(Required)
Which of the following has prompted, or would be likely to prompt, your organization to switch to/from cloud databases?(Required)

×