Docker cli login potential security issue or not?

Login to DockerHub in a GiHA pipeline using the Docker CLI:

  echo $DOCKER_PASSWORD | docker login --username $DOCKER_USER \
  shell: /usr/bin/bash -e {0}
WARNING! Your password will be stored unencrypted in /home/runner/.docker/config.json.
Login Succeeded

The *** represent ${{ secrets.DOCKER_USER }} and ${{ secrets.DOCKER_PASSWORD }} respectively.

So, I followed the warning, found the file and printed it in the console:

        "auths": {
                "": {
                        "auth": "long-string-of-random-characters"

So here I found that the password to my Dhub account was indeed encrypted by GitHub’s Secrets module and appended to this file encrypted, unlike the warning in the log indicated.

Now what I am wondering, if the password is encrypted by the Secrets module is there really a security issue with that value being appended to the config.json file, since the only way someone would have access to that file in that state is to that someone having access to my account in the first place ?

My conclusion is No., but I would like to have a second/third/Nth opinion of someone more experienced than moi.

That conclusion is unfortunately wrong, try base64-decoding that long-string-of-random-characters thing. :wink:

If someone could get access to the runner while your credentials are in there they could use them. It’s up to you whether you consider that an unacceptable risk. It is common practice to ensure that the credentials are deleted after use, even though the GitHub-hosted runner VMs are discarded after the job.

1 Like

That’s what I was unsure about, thanks for clarifying.

What are ways that someone could access the runner during execution, other than having access to my GH account ?

If you use GitHub-hosted runners, no-one should be able to access them, assuming that:

  • GitHub’s security systems work as designed.
  • You don’t do anything in the workflow to allow outside access or exfiltrate secrets, or that has security issues that allow others to do so.

If you use self-hosted runners, it’s up to you to secure them.

1 Like