Clarify warning against using build-time variables for secrets

Signed-off-by: Dave Henderson <dhenderson@gmail.com>
2022-11-09 12:21:53 -05:00 · 2016-07-11 21:18:03 -04:00 · 2016-07-11 21:18:03 -04:00 · 9af24ba3ac
commit 9af24ba3ac
parent 880484992c
2 changed files with 6 additions and 4 deletions
--- a/docs/reference/builder.md
+++ b/docs/reference/builder.md
@ -1292,8 +1292,9 @@ subsequent line 3. The `USER` at line 4 evaluates to `what_user` as `user` is
 defined and the `what_user` value was passed on the command line. Prior to its definition by an
 `ARG` instruction, any use of a variable results in an empty string.

-> **Note:** It is not recommended to use build-time variables for
->  passing secrets like github keys, user credentials etc.
+> **Warning:** It is not recommended to use build-time variables for
+>  passing secrets like github keys, user credentials etc. Build-time variable
+>  values are visible to any user of the image with the `docker history` command.

 You can use an `ARG` or an `ENV` instruction to specify variables that are
 available to the `RUN` instruction. Environment variables defined using the
--- a/man/Dockerfile.5.md
+++ b/man/Dockerfile.5.md
@ -376,8 +376,9 @@ A Dockerfile is similar to a Makefile.
  defined and the `what_user` value was passed on the command line. Prior to its definition by an
  `ARG` instruction, any use of a variable results in an empty string.

-  > **Note:** It is not recommended to use build-time variables for
-  >  passing secrets like github keys, user credentials etc.
+  > **Warning:** It is not recommended to use build-time variables for
+  >  passing secrets like github keys, user credentials etc. Build-time variable
+  >  values are visible to any user of the image with the `docker history` command.

  You can use an `ARG` or an `ENV` instruction to specify variables that are
  available to the `RUN` instruction. Environment variables defined using the