I do think using buildkit secrets would be a big win for the security of containers running on buildkite. AFAICT currently the quickest way to provide secrets to a docker build using this plugin is with build args + env vars — however, those approaches expose the secrets in plain text in the built docker image and is considered bad practice for obvious security reasons
Docker 20.10 adds the additional ability to load secrets from environment variables, not just files. For example, if you have an environment variable MYSECRET, you can access it like this:
I'm creating a new issue from the convo here, for better organization https://github.com/buildkite-plugins/docker-compose-buildkite-plugin/pull/334#issuecomment-1289734691
e.g.
https://pythonspeed.com/articles/docker-build-secrets/