NEXT_PUBLIC_MAPBOX_TOKEN` baked into the Docker image at build time #32
Description
- Context: Cloud
- Category: Secret Leakage
- Severity: 🔴 Critical
Evidence
# Dockerfile
ARG NEXT_PUBLIC_MAPBOX_TOKEN
ENV NEXT_PUBLIC_MAPBOX_TOKEN=$NEXT_PUBLIC_MAPBOX_TOKEN
RUN pnpm run buildNEXT_PUBLIC_* variables in Next.js are inlined at build time into the JavaScript bundle. The Mapbox token is therefore embedded in the compiled static assets inside the Docker image. Any party who can:
- Pull the Docker image from a registry (even a private one with a leaked pull token)
- Extract the image layers with
docker saveordive - Browse the
.next/static/chunks/*.jsfiles
will find the Mapbox token in plaintext. Unlike server-side env vars that exist only at runtime, this token cannot be revoked without a full rebuild and redeployment.
Additionally, ARG values are stored in the Docker image manifest history:
$ docker history <image> --no-trunc
This prints the value of each ARG used during RUN commands.
Impact: Permanent exposure of the Mapbox token in all distributed or stored image artifacts. Tokens used in CI/CD build args are also captured in CI logs unless explicitly masked.
Affected files: Dockerfile