Environment variables defined in compose file are included in image build. They should only be defined at runtime.
Aside from being a deviation from docker compose behavior, this is a potential security concern since it is common for those variables to contain secrets.
STEP 1/2: FROM scratch
STEP 2/2: ENV "FOO"="bar" # note this variable that should not be part of build
COMMIT foo:latest
--> 9f279e6856c7
Successfully tagged localhost/foo:latest
Describe the bug
Environment variables defined in compose file are included in image build. They should only be defined at runtime.
Aside from being a deviation from docker compose behavior, this is a potential security concern since it is common for those variables to contain secrets.
To Reproduce
Dockerfile
:compose.yaml
:podman compose build foo
:podman image inspect foo:latest|jq '.[0].Config.Env'
:docker compose behaves correctly:
Expected behavior Environment variables defined in compose file should not be included in build.
Actual behavior Environment variables defined in compose file are included in build.
Output
Environment: