A Better Way to Access Private SSH Git Repositories While Building Your Docker Images

I have written about this topic before in the past. If you don’t watch out, you can easily leak your SSH credentials into your Docker image, sometimes without even noticing. Handling build-time secrets got easier with BuildKit, and the same goes for SSH secrets.

However, there’s a special mechanism to pass SSH credentials into your building Docker image without leaving a trace, with is an even better fit than the new secret mount type.

A Better Way

With the new SSH mount type you can allow your Docker build to make use of your host’s SSH keys.

Here’s how it looks like:

RUN --mount=type=ssh ...

You add the new mount type to your RUN command, and the whole process is taken care of for you. You can read more about this features here in the docs.

In Conclusion

If you have been passing SSH credentials into your Docker images insecurely, had to use elaborate workflows or extra steps, you might benefit from switching to BuildKit and using the ssh mount type to give single image build steps access to your host’s SSH keys.

If you’re looking to pass non-secret data to your image build, check out this article. If you want to pass generic, non-SSH secrets to your image build process and leave behind no traces, there’s another BuildKit feature which could help you do that.