Secrets leakage is an underestimated risk with a potentially significant impact for the companies concerned. Unlike vulnerabilities, valid secrets enable attackers to have the same access as associated users or machines, making detection of such access complicated because it is similar to legitimate behavior.

In 2024, examples of secret leaks are numerous, from data theft such as Disney and Capgemini, to hard-coded secrets such as SolarWinds. The sources containing the secrets are equally varied, and range from code management services such as GitHub, to binaries, to Web services exposing files that should remain private.

For attackers, the main challenge is to discover valid secrets that will enable them to simply elevate their privileges, for example during initial access. GitHub is a good example of a data source containing secrets, and it is not uncommon to find highly sensitive secrets concerning private Artifactory instances, or Azure storage blobs.

In this context, this talk presents the results of a campaign to search for secrets in Docker images publicly accessible on DockerHub. It took place in the last quarter of 2024, and involved 15 million images for which all manifests (equivalent to the contents of the Dockerfile), and 16 million layers were scanned for secrets. This represents over 30TB that have been downloaded, and over 100,000 valid secrets authorizing access to resources usually protected by authentication.

This work extends the existing state of the art, notably with the volumes involved, but also with a new methodology closely linked to these volumes.