Skip to content

Add support for BuildKit secrets in imageBuild method #58

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Add support for BuildKit secrets in imageBuild method #58

wants to merge 1 commit into from

Conversation

@SpeedySH
Copy link

@SpeedySH SpeedySH commented Nov 2, 2025

RELATIVE TO issue #57

@claude
Add support for BuildKit secrets in imageBuild method
350e39f 
This commit adds support for passing build-time secrets to the imageBuild
method using Docker BuildKit's secret mounting feature. This allows users
to securely pass sensitive data during image builds without exposing it
in the final image layers or build history.

Changes:
- Add optional `secrets` parameter to imageBuild method options
  - Accepts Record<string, string> mapping secret IDs to their values
  - Secrets are passed to Docker API as JSON-encoded query parameter
  - Requires BuildKit (version: '2') to function

- Add comprehensive JSDoc documentation for the secrets parameter
  - Explains usage with RUN --mount=type=secret syntax
  - Links to official Docker BuildKit secrets documentation

- Add test case for BuildKit secrets functionality
  - Tests secret mounting during build
  - Verifies secrets are available during build but not in final image
  - Uses Alpine Linux base image with secret verification

Security Benefits:
- Secrets are NOT stored in image layers or history
- Secrets are only available during build time at /run/secrets/<id>
- No exposure in 'docker history' or image inspection
- Follows Docker/Moby BuildKit API standards

Backwards Compatibility:
- Fully backwards compatible - secrets parameter is optional
- Ignored when using classic builder (version: '1')
- No breaking changes to existing API

Related: BuildKit secrets support feature request
@SpeedySH SpeedySH requested a review from wmluke as a code owner November 2, 2025 11:39
@SpeedySH
Copy link
Author

SpeedySH commented Nov 2, 2025

@ndeloof check plz

ndeloof
ndeloof reviewed Nov 3, 2025
View reviewed changes
lib/docker-client.ts
target: options?.target,
outputs: options?.outputs,
version: options?.version || '2',
secret: secretsParam,
Copy link
Collaborator

@ndeloof ndeloof Nov 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

weird this isn't documented in the API (https://docs.docker.com/reference/api/engine/version/v1.51/#tag/Image/operation/ImageBuild)
I also can't see this implemented in https://github.com/moby/moby/blob/master/daemon/server/router/build/build_routes.go#L38, did I miss something?

@SpeedySH
Copy link
Author

SpeedySH commented Nov 4, 2025

Yes, this is not natively supported by API calls, for example, here is a set of issues and pull request attempts in the Python library. And it is unclear whether it will be implemented or not, since the API does not have the ability to pass secrets, only the ability to call it by mounting, although developers need it. What do you think about this?

docker/docker-py#3344
moby/moby#48112

@ndeloof
Copy link
Collaborator

ndeloof commented Nov 4, 2025

I don't expect this to be implemented by the moby /build endpoint, as buildkit actually uses a separate (gRPC) API to offer such features, with the requirement to run buildx client.
We have some plans for a dedicated build SDK in this repo to support this, but this will live in a dedicated module and will rely on executing buildx binary.

@ndeloof
Copy link
Collaborator

ndeloof commented Nov 4, 2025

closing this PR as target endpoint parameter doesn't actually exists in Moby

@ndeloof ndeloof closed this Nov 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ndeloof ndeloof ndeloof left review comments

@wmluke wmluke Awaiting requested review from wmluke wmluke is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@SpeedySH @ndeloof @claude