Why This Matters
Layerleak introduces a specialized secret scanner for Docker Hub images, leveraging OCI image internals to provide more accurate and comprehensive detection of secrets within container images. Its focus on layer and manifest awareness enhances security by identifying secrets across image history and configurations, addressing limitations of traditional scanners. This tool offers a valuable resource for developers and security teams aiming to improve container image security without relying on a Docker daemon.
Key Takeaways
- Layerleak analyzes OCI image layers, config metadata, and history for thorough secret detection.
- It is designed for public Docker Hub images with read-only scanning and no Docker daemon dependency.
- The tool supports deduplication of findings and can store results locally or in a Postgres database.
layerleak the Docker Hub Secret Scanner
Check CONTRIBUTING.md for development and contribution guidelines.
Docker Hub / OCI image secret scanner that analyzes image layers, config metadata, and image history, then stores deduplicated findings by manifest digest.
Traditional secret scanners often treat a container image as a flat blob or depend on a local Docker daemon. This project is designed around OCI image internals
Current Capabilities:
Public Docker Hub images only
Read-only scanning
No secret verification
No Docker daemon dependency required
Manifest-aware and layer-aware scanning
... continue reading
GoKawiil