Skip to content

Fix Docker BuildKit secrets warnings for secure builds #306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nicholaspsmith merged 1 commit into from
Jan 14, 2026
Merged

Fix Docker BuildKit secrets warnings for secure builds #306

nicholaspsmith merged 1 commit into from
Jan 14, 2026

Conversation

@nicholaspsmith
Copy link
Owner

@nicholaspsmith nicholaspsmith commented Jan 11, 2026

Summary

This PR fixes Docker BuildKit security warnings (SecretsUsedInArgOrEnv and LegacyKeyValueFormat) by improving secret handling and configuration format in the Dockerfile.

Changes

  1. BuildKit secrets for sensitive data: Using BuildKit secrets for SENTRY_AUTH_TOKEN instead of build-args, ensuring sensitive tokens are not baked into image layers or build cache
  2. Placeholder for runtime secrets: API_KEY_ENCRYPTION_SECRET uses a placeholder at build time with the real value injected at runtime via environment variables
  3. Fixed legacy ENV format: Updated all ENV statements to use modern key=value format instead of separate key value declarations

Why This Matters

  • Security: Sensitive credentials are mounted as secrets during build only, not stored in image history
  • Best practices: Follows Docker and BuildKit security recommendations for handling credentials
  • Clean builds: Eliminates Docker build warnings about secret usage and environment format

Test Plan

  • Docker image builds successfully without warnings
  • Verify Sentry integration still works in production
  • Confirm API key encryption works at runtime
  • Test local development build with docker-compose

🤖 Generated with Claude Code

@nicholaspsmith @claude
Fix Docker BuildKit secrets warnings for secure builds
82925ac 
Co-Authored-By: Claude <noreply@anthropic.com>
@nicholaspsmith nicholaspsmith merged commit 9f03267 into main Jan 14, 2026
9 checks passed
@nicholaspsmith nicholaspsmith deleted the fix-docker-secrets-warnings branch January 14, 2026 16:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nicholaspsmith