The European Commission left sensitive internal credentials exposed on the public internet through a misconfigured Docker container image — a discovery that underscores how even the most security-conscious institutions can stumble over basic supply chain hygiene in their software infrastructure.
The breach, first reported by The Next Web, was uncovered by a European security researcher who used Aqua Security’s open-source vulnerability scanner Trivy to inspect publicly available Docker images associated with the Commission. What the researcher found was alarming: hardcoded secrets, internal API tokens, and database credentials baked directly into container layers that anyone could pull and examine.
Not a sophisticated zero-day exploit. Not a nation-state intrusion. A configuration mistake.
The discovery highlights a persistent and growing problem across both public and private sector IT operations: the careless handling of secrets inside container images that end up on public registries. Docker Hub, the world’s largest container image repository, hosts millions of images. Many of them, as repeated research has shown, contain embedded credentials, private keys, and authentication tokens that developers never intended to ship but did anyway — often because they didn’t understand how Docker’s layered filesystem preserves every change made during the build process, even if a secret is deleted in a subsequent layer.
In the Commission’s case, the exposed image reportedly contained credentials that could have allowed access to internal systems. The specifics of which systems were at risk haven’t been fully disclosed, but the implication is clear: an attacker with even modest technical skill could have pulled the image, extracted the secrets, and attempted to authenticate against European Commission infrastructure. The barrier to entry was essentially zero.
The European Commission confirmed the issue and said it had taken corrective action. But the incident raises uncomfortable questions about the institution’s internal DevOps practices and whether adequate secret-scanning pipelines were in place before images were pushed to public registries.
This isn’t an isolated problem. A 2023 study by researchers at RWTH Aachen University analyzed over 337,000 Docker Hub images and found that roughly 8.5% contained at least one secret — API keys, cloud credentials, SSH private keys, or database passwords. The scale of the problem is staggering, and it extends well beyond any single organization. Cloud providers, financial institutions, and government agencies have all been caught shipping secrets in container images.
So how does this keep happening?
The answer lies in the gap between how developers think about containers and how containers actually work. When a developer adds a file to a Docker image in one layer and removes it in the next, the file is still present in the earlier layer. Docker images are essentially stacks of read-only filesystem snapshots. Tools like Trivy, Syft, and Grype can peel back those layers and inspect every one of them, revealing secrets that appear to have been deleted but haven’t been. Many developers simply don’t know this. Others know but assume the risk is low because they’re publishing to what they believe is a limited audience.
The European Commission’s exposure is particularly notable because of the institution’s role as both a regulatory body and a vocal advocate for cybersecurity standards across the EU. The Commission has been instrumental in pushing the Cyber Resilience Act, NIS2 Directive, and other frameworks that impose strict security obligations on software vendors and critical infrastructure operators. Getting caught with hardcoded secrets in a public container image isn’t a good look when you’re simultaneously telling the private sector to get its house in order.
And the timing matters. European regulators are in the middle of implementing new supply chain security requirements under the Cyber Resilience Act, which will mandate that products with digital elements meet baseline security requirements before being placed on the EU market. Software supply chain integrity — including how code is built, packaged, and distributed — is a central pillar of that regulation. The Commission’s own stumble demonstrates how difficult it is to enforce these standards even internally.
Aqua Security’s Trivy scanner, the tool used to make the discovery, has become one of the most widely adopted open-source security scanners in the container and cloud-native space. It scans container images, filesystems, Git repositories, and Kubernetes clusters for vulnerabilities, misconfigurations, and embedded secrets. Its popularity has grown precisely because the class of problems it detects — known vulnerabilities in dependencies, leaked credentials, insecure configurations — are so pervasive.
The researcher who found the Commission’s exposed credentials reportedly followed responsible disclosure practices, notifying the institution before the findings were made public. That’s the best-case scenario for any organization on the receiving end of such a report. The worst case — an attacker finding the credentials first and exploiting them silently — is the scenario that keeps CISOs awake at night.
What makes container security particularly tricky is the velocity of modern development. Teams push dozens or hundreds of image updates per day. CI/CD pipelines are designed for speed, and security checks, when they exist at all, are often bolted on as an afterthought rather than integrated as a gate that can block a release. Secret scanning in particular is frequently omitted from build pipelines because it introduces friction — false positives, build failures, developer frustration.
But the cost of not scanning is clearly higher.
Several commercial and open-source tools now exist specifically to catch secrets before they reach production. GitGuardian monitors Git repositories for leaked credentials. TruffleHog does the same. Trivy and Grype scan container images. AWS, Google Cloud, and Azure all offer some form of container image scanning in their managed registries. The tooling is there. Adoption and enforcement remain the bottleneck.
The European Commission incident also feeds into a broader conversation about software bill of materials — SBOMs — and supply chain transparency. The idea behind SBOMs is that every piece of software should come with a manifest listing its components, dependencies, and known vulnerabilities. The U.S. government mandated SBOM requirements for federal software suppliers through Executive Order 14028 in 2021, and the EU is moving in a similar direction. But an SBOM won’t catch a hardcoded password. It’s a complementary measure, not a substitute for runtime and build-time secret detection.
Industry reaction to the Commission’s exposure has been a mix of sympathy and pointed criticism. Security professionals on X noted that the incident validates what researchers have been warning about for years: public container registries are a goldmine for attackers willing to do a little digging. One commenter called it “the Docker equivalent of leaving your keys under the mat.” Others pointed out that if the European Commission can’t get this right, expecting small and mid-sized enterprises to do so under the Cyber Resilience Act’s requirements seems unrealistic without significant investment in tooling and training.
The broader implications extend beyond embarrassment. Hardcoded credentials in a container image associated with a major government institution could, in theory, serve as an initial access vector for espionage or sabotage. Nation-state threat actors routinely scan public repositories and registries for exactly this kind of low-hanging fruit. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has repeatedly warned about the risks of exposed credentials in public code repositories and container images, and has urged organizations to implement automated secret detection as a baseline security control.
For the European Commission, the path forward likely involves a thorough audit of all publicly accessible container images, implementation of mandatory secret scanning in CI/CD pipelines, and a review of how credentials are managed and rotated across development teams. These are table-stakes measures that most mature DevSecOps organizations have already adopted. The fact that they apparently weren’t in place — or weren’t enforced — at one of Europe’s most important institutions is a wake-up call.
Not just for Brussels. For everyone building and shipping software in containers.
The incident is a reminder that supply chain security isn’t only about exotic attacks on build systems or compromised open-source libraries. Sometimes it’s as simple as a developer pasting a database password into a Dockerfile and forgetting to remove it. The mundane failures are often the most dangerous, precisely because they’re so easy to overlook — and so easy to exploit.
WebProNews is an iEntry Publication