🔐 Build Security Improvement: Migration from Build Args to BuildKit Secrets
Big thanks to @OmarElaraby26 for raising and fixing this issue 🤝
This release changes how private apps.json data is handled during image builds to improve security and prevent accidental secret exposure.
Previously, apps.json (which may contain private repository URLs and tokens) was passed via --build-arg, which is unsafe because build arguments are stored in image metadata and can be extracted.
To fix this, we migrated to Docker BuildKit --mount=type=secret, ensuring that sensitive data is only available during the build step and is never persisted in any image layer or metadata.
What changed
❌ Removed ARG APPS_JSON_BASE64 usage in Containerfiles
❌ Removed passing --build-arg APPS_JSON_BASE64
✅ Introduced BuildKit --mount=type=secret for apps.json
✅ Updated documentation to use --secret instead of --build-arg
Why this change was necessary
This fixes a security issue where private credentials could be extracted. The new approach follows Docker best practices for handling sensitive build-time data and eliminates secret leakage risk.
What's Changed
- fix(security): replace APPS_JSON_BASE64 build-arg with BuildKit secret by @OmarElaraby26 in #1861
New Contributors
- @OmarElaraby26 made their first contribution in #1861
Full Changelog: v2.2.3...v3.0.0