safe way to use build-time argument in Docker

Question

I have a build time Argument with which I would like to build my Docker file; Since that argument is confidential in nature (github key of a private repo) I don't want that to end up in a docker image. This quotes is from official docker documentation regarding the build-time arguments.

Warning: It is not recommended to use build-time variables for passing secrets like github keys, user credentials etc. Build-time variable values are visible to any user of the image with the docker history command.

Anybody know what is the recommended way to achieve the same?

Answer 1

With docker 18.09+, that will be: docker build --secret id=mysecret,src=/secret/file (using buildkit).

See PR 1288, announced in this tweet.
--secret is now guarded by API version 1.39.

Example:

printf "hello secret" > ./mysecret.txt

export DOCKER_BUILDKIT=1

docker build --no-cache --progress=plain --secret id=mysecret,src=$(pwd)/mysecret.txt -f - . <<EOF
# syntax = tonistiigi/dockerfile:secrets20180808
FROM busybox
RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret
RUN --mount=type=secret,id=mysecret,dst=/foobar cat /foobar
EOF

Answer 2

I'd rely on context of the Dockerfile for that. Basically, have something else (i.e. Jenkins, sub-repos) that's trusted with your Github key pull down all the necessary repos to relative locations that give your Dockerfile the context it needs. Nothing in the Docker build process itself should be managing secrets.

I can be more specific, if you specify more about your use-case. If it's just a single repo you need, you can just stick the Dockerfile in the root of that repo and rely on something else to provide credentials for cloning the repo down.