Fix hardcoded secrets in docker-compose.yml

Move passwords to .env files before they end up in git history

Risk: Hardcoded passwords in docker-compose.yml get committed to git. Even if you delete them later, they remain in git history and are searchable on GitHub.

The problem

❌ Hardcoded — never commit this

services:
  db:
    image: postgres:15
    environment:
      - POSTGRES_PASSWORD=mysecretpassword123
      - POSTGRES_USER=admin
  redis:
    image: redis:7
    command: redis-server --requirepass myredispassword
  app:
    environment:
      - SECRET_KEY=sk-prod-abc123xyz456
      - DATABASE_URL=postgres://admin:mysecretpassword123@db:5432/myapp

The fix — .env file approach

Create a .env file

✅ .env (never commit this file)

POSTGRES_PASSWORD=mysecretpassword123
POSTGRES_USER=admin
REDIS_PASSWORD=myredispassword
SECRET_KEY=sk-prod-abc123xyz456
DATABASE_URL=postgres://admin:mysecretpassword123@db:5432/myapp

Add .env to .gitignore immediately

echo ".env" >> .gitignore
echo ".env.local" >> .gitignore
git add .gitignore && git commit -m "ignore .env files"

Update docker-compose.yml to use variable references

✅ Safe — references .env variables

services:
  db:
    image: postgres:15
    environment:
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
      - POSTGRES_USER=${POSTGRES_USER}
  app:
    environment:
      - SECRET_KEY=${SECRET_KEY}
      - DATABASE_URL=${DATABASE_URL}

Create a .env.example for documentation

✅ .env.example — safe to commit

POSTGRES_PASSWORD=change_this
POSTGRES_USER=myapp
REDIS_PASSWORD=change_this
SECRET_KEY=change_this
DATABASE_URL=postgres://myapp:change_this@db:5432/myapp

For production — use Docker Secrets

Hardcoded secrets are credentials, API keys, and passwords written directly into docker-compose.yml or .env files that get committed to version control. When your repo is public — or gets breached — every hardcoded credential is immediately exposed. The fix is to use environment variable references and keep actual values out of version-controlled files.

✅ Docker Secrets (production)

services:
  db:
    image: postgres:15
    environment:
      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
    secrets:
      - db_password

secrets:
  db_password:
    file: ./secrets/db_password.txt

Learn more about Docker Secrets →

Scan your compose file for hardcoded secrets

The Docker Auditor detects literal values in environment blocks and flags sensitive key names (PASSWORD, SECRET, API_KEY, TOKEN).

Open Docker Auditor →

Frequently Asked Questions

I already committed a password — how do I remove it from git history?

Use git filter-branch or BFG Repo Cleaner to rewrite history. But first, rotate the compromised secret immediately — assume it has been seen. Then clean git history, and force-push. If the repo is on GitHub, contact their security team to remove cached views.

Does Docker Compose automatically load .env files?

Yes. Docker Compose automatically loads a file named .env in the same directory as docker-compose.yml. You can specify a different file with docker compose --env-file .env.production up.

What's the difference between environment: and env_file:?

environment: sets variables directly (can use ${VAR} references from .env). env_file: loads an entire file of KEY=VALUE pairs into the container's environment. Both are valid — use whichever keeps your compose file cleaner.

ConfigClarity