I have a private repos that can be installable via python's pip:

requirements.txt

git https://${GITHUB_TOKEN}@github.com/MY_ACCOUNT/MY_REPO.git

And a Dockerfile:

Dockerfile

FROM python:3.8.11

RUN apt-get update && \
    apt-get -y install gcc curl && \
    rm -rf /var/lib/apt/lists/*

ARG GITHUB_TOKEN
COPY ./requirements.txt /tmp/requirements.txt
RUN pip install -r /tmp/requirements.txt

It worked perfectly when i build up an image:

$ docker build . --build-arg GITHUB_TOKEN=THIS_IS_MY_GITHUB_TOKEN -t wow/my_app:latest

But when I inspected image, it shows GITHUB_TOKEN in Cmd section:

$ docker image inspect wow/my_app:latest

...
"ContainerConfig": {
    ...
    "Cmd": [
        "|1",
        "GITHUB_TOKEN=THIS_IS_MY_GITHUB_TOKEN",     # Here!
        "/bin/sh",
        "-c",
        "pip install -r /tmp/requirements.txt"
    ],
    ...
},
...

I think this could lead to a security problem. How can I solve this so that anything credential info not appear in docker inspect?

CodePudding user response：

If you build your image using BuildKit, you can take advantage of Docker build secrets.

You would structure your Dockerfile something like this:

FROM python:3.8.11

RUN apt-get update && \
    apt-get -y install gcc curl && \
    rm -rf /var/lib/apt/lists/*

COPY ./requirements.txt /tmp/requirements.txt
RUN --mount=type=secret,id=GITHUB_TOKEN \
  GITHUB_TOKEN=$(cat /run/secrets/GITHUB_TOKEN) \
  pip install -r /tmp/requirements.txt

And then if you have a GITHUB_TOKEN environment variable in your local environment, you could run:

docker buildx build --secret id=GITHUB_TOKEN -t myimage .

Or if you have the value in a file, you could run:

docker buildx build \
  --secret id=GITHUB_TOKEN,src=github_token.txt \
  -t myimage .

In either case, the setting will not be baked into the resulting image. See the linked documentation for more information.