Safeguard
Container Security

Container registry credential leak trends

2026 data shows container registry credential leaks accelerating as CI pipelines speed up — and why layer-aware scanning, not just final-image checks, is now essential.

Safeguard Research Team
Research
6 min read

Container registries have quietly become one of the softest targets in the software supply chain. Between January and June 2026, researchers tracking exposed Docker and OCI registries logged a sustained rise in publicly reachable image repositories leaking long-lived credentials — cloud IAM keys, npm and PyPI tokens, database connection strings, and even signing keys — baked directly into image layers or left behind in build-time environment variables. Security teams that once treated the registry as a passive artifact store are now finding it is one of the most common places a single misconfigured push turns into a full-blown credential leak.

The pattern is not new, but its scale is. What used to be occasional embarrassing disclosures from misconfigured Docker Hub repositories has evolved into a structural weakness across private registries, CI-integrated registries, and multi-cloud image mirrors. Safeguard's research team reviewed a cross-section of recent incident write-ups, registry scanning telemetry, and public breach disclosures to map how these leaks happen, why they persist, and what is actually changing in 2026.

The shape of the problem

A container image is, functionally, a tarball of filesystem layers. Every RUN, COPY, and ENV instruction in a Dockerfile can leave a fingerprint in the final artifact, even after later layers appear to remove the sensitive file. This is the core mechanic behind most registry credential leaks: a secret is written in one layer, "deleted" in a subsequent layer, and yet remains fully recoverable by anyone who pulls the image and inspects its layer history. Tools that flatten or docker save an image expose this trivially; even without special tooling, a docker history and manual layer extraction is enough for a motivated attacker.

Three failure patterns account for the overwhelming majority of the incidents reviewed:

  • Build-time secrets committed to layers. CI pipelines that inject cloud credentials, private registry tokens, or API keys as build arguments (--build-arg) rather than using proper build secrets (--secret mounts, multi-stage build isolation) leave those values embedded in the image history.
  • Publicly exposed private registries. Misconfigured registry authentication — anonymous pull enabled, overly permissive IAM policies on registry storage buckets, or forgotten staging registries — turns an internal artifact store into a public one overnight.
  • Config and manifest leakage. .dockerignore gaps and stray .env, .npmrc, or .git-credentials files copied into build context end up shipped inside the image, frequently containing tokens with far broader scope than the application itself needs.

What the trend data shows

Aggregated telemetry across registry scanning engagements shows a consistent signal: a meaningful share of publicly and privately hosted container images contain at least one high-confidence secret when scanned with layer-aware detection (as opposed to scanning only the final filesystem view, which materially undercounts findings). The gap between "secrets found scanning the final image state" and "secrets found scanning full layer history" is itself a leading indicator of how many organizations are relying on scanning tooling that misses the problem entirely.

A few trend lines stand out from the 2026 data:

  1. CI-to-registry leak velocity is increasing. As build pipelines get faster and more automated, the window between a secret being committed and an image being pushed to a registry — and then pulled by downstream services, forks, or even public mirrors — has compressed from days to minutes in many pipelines. Faster CI means faster propagation of a mistake.
  2. Base image inheritance is spreading leaked secrets downstream. When a leaked credential sits in a widely-reused internal base image, every derived image inherits the exposure. Incident responders increasingly report discovering the same leaked token across dozens of downstream image tags, all traceable to a single upstream base image build.
  3. Registry-native secret scanning is inconsistent. Major registries have improved their native secret-scanning coverage, but detection quality varies significantly across public and private offerings, and self-hosted registries (Harbor, Nexus, JFrog Artifactory instances run on-prem) frequently have scanning disabled by default or configured with narrow rule sets that miss cloud-provider credential formats.
  4. Long-lived static credentials remain the dominant leaked secret type. Rotatable, short-lived tokens are leaked far less often in practice than static cloud IAM keys, database passwords, and third-party API keys — largely because organizations that have adopted short-lived credential issuance have also, as a side effect, reduced the blast radius of any single leak.

Why the leaks keep happening despite better tooling

The uncomfortable finding across these incidents is that secret-scanning tooling is not the bottleneck — coverage and workflow integration are. Many organizations run secret scanners on source repositories but not on built container images, creating a blind spot exactly where build-time injection occurs. Others scan images but only at the registry ingestion point, missing intermediate build layers that get cached and reused across pipelines. And even when a leak is detected, remediation frequently stalls: rotating a credential that's baked into dozens of already-pulled image tags requires coordinated rotation, re-tagging, and re-deployment — work that competes with feature delivery and often loses.

This is compounded by a reachability gap. Not every secret found in a scan represents equal risk. A leaked token for an internal, network-isolated test database is a materially different finding than a cloud IAM key with production write access that is actively used by a running deployment. Teams without a way to distinguish "leaked but dead" from "leaked and exploitable in production" end up either drowning in low-priority alerts or, worse, deprioritizing a finding that turns out to matter.

What effective mitigation looks like

Organizations that are successfully driving down registry credential exposure share a few practices in common: they scan full layer history rather than just the final image filesystem; they enforce BuildKit-style secret mounts instead of build arguments in CI templates; they generate and retain a software bill of materials (SBOM) for every pushed image so provenance and dependency exposure can be reconstructed after the fact; and they treat registry access itself as a tenant-isolated, least-privilege boundary rather than a shared bucket. Critically, the organizations with the fastest mean-time-to-remediation also have automated pull request generation wired into their pipeline, so a detected leak produces a fix in minutes rather than a ticket that waits for a sprint planning cycle.

How Safeguard Helps

Safeguard scans container images layer-by-layer — not just the final filesystem state — to catch credentials baked into intermediate build steps before they ever reach a production registry. Reachability analysis then correlates each finding against actual deployment and runtime context, so teams can immediately see which leaked credentials are attached to live, exploitable services versus dormant test artifacts, cutting noise dramatically. Griffin AI triages and prioritizes these findings automatically, surfacing the handful of leaks that carry real business risk instead of burying teams in raw scanner output. Safeguard generates and ingests SBOMs for every scanned image, giving teams a durable record of what shipped and where a given secret or dependency propagated across downstream tags. And when a credential leak is confirmed, Safeguard's auto-fix PRs open a remediation change directly against the offending Dockerfile or CI template — replacing build-arg secrets with proper secret mounts — so the fix ships as fast as the leak did.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.