I've recently started to use docker far and wide for my professional projects. I'm still getting to grips with many of the details.
So far, when trying to acquire a software package from a repository on gitlab or github, I have gone the route of acquiring a token, putting the token in some environment variable, and passing that to docker build via the --build-arg argument and then to the git clone command.
However, as I started pushing my images to dockerhub, I was a bit shocked to find that in the "Image Layer Details" section, it displays also the value of the environment variables passed to docker build, that is, the content of my security tokens. Now, this is not so problematic because I can just revoke them and create new ones everytime I push, but that seems quite cumbersome.
Is there a good way to pass security tokens to docker build such that they don't show up in anywhere publicly?
First I want to mention that COPYing the secret (if it's a file) or using ARG (with docker build --arg) will always be visible (either by inspecting the layers or checking the image with docker history <image-id> so those options are out of the question
Docker now supports BuildKit which enables you to mount secrets during build time. One way to do this is by adding the following statement in your Dockerfile:
RUN --mount=type=secret,id=mysecret <some_command>
and during build use:
export MYSECRET=bigsecret
DOCKER_BUILDKIT=1 docker build --secret id=mysecret,env=MYSECRET -t myimage:latest .
The secrets should be available at /run/secrets/<secret_name> by default, but you can also specify the destination yourself (check the link).