yuehaoliang
commented
8 months ago You're correct that the --secret-build-arg is simply passed to --build-arg of the Docker build command. The distinction pertains to the visibility of data in the ACR backend.
To mitigate the risk of potential leaks through Docker history, consider creating a YAML context and utilizing BuildKit's secret and volume mount features instead. Please refer to ACR Tasks reference: YAML, and also ACR Tasks samples.
There does not seem to be documentation on how to consume the values from
--secretBuildArgsin your docker script.If I look at the code, it seems to map to docker build args:
https://github.com/Azure/acr-builder/blob/main/cmd/acb/commands/build/build.go#L302
This is odd as the docker documentation says never to use build args for secrets as they are stored in the logs.
https://docs.docker.com/engine/reference/builder/#arg
After testing I have seen the secrets shown in the Logs in the Azure portal. These are secrets that viewers of the logs should not see. This came up as I used a
{character in the secret value and that broke the script.