Do not provide secrets using environment variables
ENV
burns variables into image
Build arguments (ARG
/--build-arg
) are only one option
Mount secrets using tmpfs
Temporary files in /run/secrets/
Introduced in Docker 18.09
–
Use experimental syntax in Dockerfile
:
# syntax=docker/dockerfile:experimental
FROM alpine
RUN --mount=type=secret,id=mysite.key \
ls -l /run/secrets
Build image with secret from mysite.key
:
export DOCKER_BUILDKIT=1
docker build \
--secret id=mysite.key,src=./mysite.key \
--progress plain \
.