safe way to use build-time argument in Docker

Question

I have a build time Argument with which I would like to build my Docker file; Since that argument is confidential in nature (github key of a private repo) I don\'t want that

Answer 1

With docker 18.09+, that will be: docker build --secret id=mysecret,src=/secret/file (using buildkit).

See PR 1288, announced in this tweet.
--secret is now guarded by API version 1.39.

Example:

printf "hello secret" > ./mysecret.txt

export DOCKER_BUILDKIT=1

docker build --no-cache --progress=plain --secret id=mysecret,src=$(pwd)/mysecret.txt -f - . <<EOF
# syntax = tonistiigi/dockerfile:secrets20180808
FROM busybox
RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret
RUN --mount=type=secret,id=mysecret,dst=/foobar cat /foobar
EOF

Answer 2

I'd rely on context of the Dockerfile for that. Basically, have something else (i.e. Jenkins, sub-repos) that's trusted with your Github key pull down all the necessary repos to relative locations that give your Dockerfile the context it needs. Nothing in the Docker build process itself should be managing secrets.

I can be more specific, if you specify more about your use-case. If it's just a single repo you need, you can just stick the Dockerfile in the root of that repo and rely on something else to provide credentials for cloning the repo down.

Answer 3

This is the point of docker secret

see for example

https://blog.docker.com/2017/02/docker-secrets-management/