# Docker Secrets and Security Best Practices

- ID: docker-secrets-security
- Severity: CRITICAL
- CWE: Hardcoded Credentials (CWE-798)
- Languages: Dockerfile
- Frameworks: docker

## Description

Detects hardcoded secrets in ENV/ARG and piping curl/wget to shell.

## Detection Message

Dockerfile contains {issue_type}: {details}

## Remediation

Use BuildKit secrets instead of hardcoding credentials.

```dockerfile
RUN --mount=type=secret,id=token \
    cat /run/secrets/token
```

Learn more: https://shoulder.dev/learn/docker/cwe-798/secrets-security

## Documentation

[object Object]

## Related Rules

- **Django Insecure SECRET_KEY** [CRITICAL]: 
- **Hardcoded Secrets in Source Code** [CRITICAL]: 
- **Hardcoded Secret in Environment Variable Fallback** [HIGH]: 
- **Hardcoded Credentials** [HIGH]: 
- **Hardcoded High-Entropy Secrets Detection** [CRITICAL]: