Secrets at Sea: Hunting Exposed Code & Container Registries

Publicly accessible registries and repositories are often associated with well-known SaaS platforms such as GitHub or DockerHub. However, a significant number of individuals and companies rely on self-hosted solutions like GitLab or Harbor for managing their code and container images. Surprisingly, many of these self-hosted instances are inadvertently exposed, granting unauthenticated access to repositories and container images. This talk will explore methods for discovering publicly accessible self-hosted registries using techniques such as Certificate Transparency (CT) logs and Shodan scanning. We will discuss how to retrieve repository contents and container images from these sources, subsequently performing secrets scanning to assess the extent of exposure and raise awareness of potential security risks. From a tooling perspective, our investigation reveals a critical gap: most scanning tools fail to retrieve images from registries that are only available via plain HTTP. We will take this opportunity to discuss the registry API, and demonstrate approaches for interacting with it. Through real-world examples and hands-on insights, this talk aims to shed light on the current state of public registry exposure, providing actionable recommendations for improving security posture.