Can you elaborate on that? Are you seriously embedding secrets as part of source code, payload or configurations within your images and push them to a public registry?! Heck, people with the right state of mind don’t even push embedded secrets into a scm…
Or are you talking about
docker secrets? Because if you do, there are contradicting statements in your post: why would a docker secret be exposed from environment variables? Why would a docker secret be part of an image you build?
I assume you are speaking about docker secrets as in “runtime configurations” without necessarily meaning docker secrets… If you do speak about docker secrets, there are some oddities I’d like to share: even though docker secrects have buildin support for different drivers, there is practicaly no publicly available secret driver. Appart from a PoC that queries life data from a Hashicorp Vault, there is no other public driver I am aware of. The buildin secret driver is able to either use a string or read a file and mount its content as file into a container. Kubernetes on the other hand has different type of secrets for different use cases - docker or better swarm has just the technical stub implemented to support diffent drivers - but due to the availability of secret drivers, it is safe to say that swarm has only one simple secret type.
Environment variables and docker secrets are not the same thing. While environments can be used to store secrets as plain text payload, a docker secret actualy is mapped as a read-only file on a volatile tempfs mount into the container. Docker secrets will not showup in the environment, unless you specifly read the files and export them as a variables. Though, whoever is able to get into the container (docker exec? or an exploited app inside the container?) can’t be stopped from accessing its content either.
Maybee you are looking for something secure like HashiCorp Vault, or something less secure like a key/value store. Both would be external systems/containers and would be quried during runtime within your application.