How to use GITHUB_TOKEN in pip's requirements.txt without setting it as env variable in Dockerfile?


I have a private repos that can be installable via python’s pip:



And a Dockerfile:


FROM python:3.8.11

RUN apt-get update && 
    apt-get -y install gcc curl && 
    rm -rf /var/lib/apt/lists/*

COPY ./requirements.txt /tmp/requirements.txt
RUN pip install -r /tmp/requirements.txt

It worked perfectly when i build up an image:

$ docker build . --build-arg GITHUB_TOKEN=THIS_IS_MY_GITHUB_TOKEN -t wow/my_app:latest

But when I inspected image, it shows GITHUB_TOKEN in Cmd section:

$ docker image inspect wow/my_app:latest

"ContainerConfig": {
    "Cmd": [
        "pip install -r /tmp/requirements.txt"

I think this could lead to a security problem. How can I solve this so that anything credential info not appear in docker inspect?

Asked By: user3595632



If you build your image using BuildKit, you can take advantage of Docker build secrets.

You would structure your Dockerfile something like this:

FROM python:3.8.11

RUN apt-get update && 
    apt-get -y install gcc curl && 
    rm -rf /var/lib/apt/lists/*

COPY ./requirements.txt /tmp/requirements.txt
RUN --mount=type=secret,id=GITHUB_TOKEN 
  GITHUB_TOKEN=$(cat /run/secrets/GITHUB_TOKEN) 
  pip install -r /tmp/requirements.txt

And then if you have a GITHUB_TOKEN environment variable in your local environment, you could run:

docker buildx build --secret id=GITHUB_TOKEN -t myimage .

Or if you have the value in a file, you could run:

docker buildx build 
  --secret id=GITHUB_TOKEN,src=github_token.txt 
  -t myimage .

In either case, the setting will not be baked into the resulting image. See the linked documentation for more information.

Answered By: larsks
Categories: questions Tags: ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.