Security pass secret to curl command in docker container

For example you need to download some file from repository with authentication. Regular curl command is:

Dockerfile:

FROM debian:buster-slim
RUN apt-get update && apt-get install -y curl
RUN curl --user username:password --output filename.zip https://repository.example.com/filename.zip

But if you run this command inside Dockerfile and inside some CI pipeline you left your secrets in CI logs forever.

You can save your credentials in .netrc file and use this file in RUN step secure:

RUN --mount=type=secret,id=netrc curl --netrc-file /run/secrets/netrc https://repository.example.com/filename.zip

To use this feature use should use Docker BuildKit. And add experimental syntax support to Dockerfile. Add header to your dockerfile:

# syntax=docker/dockerfile:experimental

And compile all the lines to result dockerfile:

# syntax=docker/dockerfile:experimental
FROM debian:buster-slim
RUN apt-get update && apt-get install -y curl
RUN --mount=type=secret,id=netrc curl --netrc-file /run/secrets/netrc --output filename.zip https://repository.example.com/filename.zip

And start build with Buildkit.

DOCKER_BUILDKIT=1 docker build--secret id=netrc,src=/tmp/.netrc .