Expected Findings
- `~/.docker/config.json` is served from the web root.
- `auths` map contains base64 registry credentials.
- `credsStore` reveals which OS keychain or helper holds longer-lived secrets.
Container Auth
Docker Config Leak
A container build leaves `~/.docker/config.json` inside the deployed image and the web root, so registry tokens and helper-store hints are reachable over HTTP.
CWE-200CWE-538
Docker auth probe
Primary Flows
- Docker config Registry auth tokens
- Home directory Same file via /home path
- Build context dump Mistakenly published context
Signals
config.json
{"auths":{"registry-1.docker.io":{"auth":"BASE64_USER_PASS"}},"credsStore":"osxkeychain"}