Env & Secrets
Docker · Reference cheat sheet
Env & Secrets
Docker · Reference cheat sheet
📋 Overview
Pass configuration with environment variables and inject secrets without baking them into image layers. Prefer runtime secrets over Dockerfile ENV for credentials.
🔧 Core concepts
| Mechanism | Use |
|---|---|
ENV | Non-secret defaults in image |
ARG | Build-time only (still visible in history if misused) |
-e / environment | Runtime env |
env_file | File of KEY=VAL |
BuildKit --secret | Secret mounts during build |
| Orchestrator secrets | Swarm/K8s/Compose secrets |
💡 Examples
Runtime env:
docker run --rm -e DATABASE_URL="$DATABASE_URL" myapp:1.0.0Compose env_file:
services:
api:
env_file:
- .env
environment:
NODE_ENV: productionBuildKit npm token (sketch):
# syntax=docker/dockerfile:1
RUN --mount=type=secret,id=npm,target=/root/.npmrc npm cidocker build --secret id=npm,src=$HOME/.npmrc -t myapp .⚠️ Pitfalls
ENV SECRET=...in a Dockerfile is recoverable from image history.- Committing
.envwith production credentials is a common breach path. docker historyand layer caching can retain leaked build args.