Build args' values are visible in the output

[ikorolev93]

Dockerfile:

FROM busybox
ARG SECRET
RUN echo "${SECRET}" > build-secret.txt

img build --build-arg SECRET=foo123 -t my-image .: (notice how foo123 is visible in the output)

Building docker.io/library/my-image:latest
Setting up the rootfs... this may take a bit.
[+] Building 3.1s (6/6) FINISHED                                                                                                                                                          
 => [internal] load .dockerignore                                                                                                                                                    0.4s
 => => transferring context: 2B                                                                                                                                                      0.0s
 => [internal] load build definition from Dockerfile                                                                                                                                 0.6s
 => => transferring dockerfile: 37B                                                                                                                                                  0.0s
 => [internal] load metadata for docker.io/library/busybox:latest                                                                                                                    1.9s
 => [1/2] FROM docker.io/library/busybox@sha256:9f1003c480699be56815db0f8146ad2e22efea85129b5b5983d0e0fb52d9ab70                                                                     0.0s
 => => resolve docker.io/library/busybox@sha256:9f1003c480699be56815db0f8146ad2e22efea85129b5b5983d0e0fb52d9ab70                                                                     0.0s
 => CACHED [2/2] RUN echo "foo123" > secret.txt                                                                                                                                      0.0s
 => exporting to image                                                                                                                                                               0.3s
 => => exporting layers                                                                                                                                                              0.1s
 => => exporting manifest sha256:9afc4e923e21fc8de57303fe5d99fccfe533417be323fc8a513da036e7cb4411                                                                                    0.0s
 => => exporting config sha256:be5ead1be166c72b6ee97a25d82a809263e8d5531b9871b6c08d8ab2c650c89c                                                                                      0.0s
 => => naming to docker.io/library/my-image:latest                                                                                                                                   0.0s
Successfully built docker.io/library/my-image:latest

For comparison, docker build --build-arg SECRET=foo123 -t my-image .:

Sending build context to Docker daemon  3.584kB
Step 1/3 : FROM busybox
 ---> e4db68de4ff2
Step 2/3 : ARG SECRET
 ---> Using cache
 ---> 1bd2b4744ab3
Step 3/3 : RUN echo "${SECRET}" > secret.txt
 ---> Running in 09be3066732c
Removing intermediate container 09be3066732c
 ---> 194fd56e6f76
Successfully built 194fd56e6f76
Successfully tagged my-image:latest

[issue-label-bot[bot]]

Issue-Label Bot is automatically applying the label bug to this issue, with a confidence of 0.86. Please mark this comment with :thumbsup: or :thumbsdown: to give our bot feedback!

Links: app homepage, dashboard and code for this bot.

[AkihiroSuda]

--build-arg is not intended to provide secret. Build-arg values are also visible via docker history.

[AkihiroSuda]

The right way is to port over docker build --secret

[ikorolev93]

--build-arg is not intended to provide secret. Build-arg values are also visible via docker history.

I guess you are right, although it's not a problem in my case, since I use multi-stage Dockerfile, and only last stage history is saved. But of course, implementing --secret would be awesome.