Do not copy secrets into image layers
Buildkit can forward the SSH agent socket
Bad example:
FROM ubuntu
COPY id_rsa /root/.ssh/
RUN scp user@somewhere:/tmp/data .
RUN rm /root/.ssh/id_rsa
–
Buildkit forwards the SSH agent socket
Prepare SSH agent:
ssh-keygen -f id_rsa_test
eval $(ssh-agent -s)
ssh-add id_rsa_test
ssh-add -l
Forward into build:
export DOCKER_BUILDKIT=1
docker build --ssh default --progress plain .
Compare local and build:
ssh-add -l