Docker Buildx / BuildKit secrets & mounts

Jan 1, 0001

Definition

Docker Buildx is an advanced build tool that extends Docker’s capabilities, leveraging BuildKit to provide improved performance and flexibility for building Docker images. BuildKit supports secrets and mounts, allowing sensitive data like API keys or SSH keys to be securely used during the build process without embedding them in the final image. This feature enhances security by ensuring that sensitive information is not exposed in the image layers.

Secure Settings Example

# Dockerfile
# Use BuildKit secrets to access sensitive data during build
FROM alpine:latest
RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret > /root/secret.txt

# Build command
# Pass the secret securely using the --secret flag
DOCKER_BUILDKIT=1 docker build --secret id=mysecret,src=mysecret.txt .

Insecure Settings Example

# Dockerfile
# Hardcoding sensitive data directly in the Dockerfile
FROM alpine:latest
RUN echo "mysecretpassword" > /root/secret.txt

Docker Buildx / BuildKit secrets & mounts

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter