How to maintain debian repo secrets in the docker file

We need to install the apt packages from our artifactory server in the docker image during docker build. In order to install the packages from the artifactory server, we need to update the deb sources in /etc/apt/sources.list with credentials.
We dont want to distribute the credentials, Please suggest any solutions to overcome this challenge.

Use the ephemeral build-time ARG instruction instead of the persisted ENV instruction in the Dockerfile. Then pass the value to docker build using --build-arg key=value

Currently I am using --build-arg key=value to send the secrets to the docker. Debian requires to store the credentials in the file /etc/apt/sources.list. We cannot install apt packages without storing the credentials in sources.list.

I would try to use the build argument variable to store the credential, run apt-get install commands and remove the credentials so nothing would be stored permanently. When the image is created, non of the layers will contain the credentials.

Or I guess you could run a proxy server in an other containerwhich would forward the traffic to the actual debian repository and also add the credentials.

You probably prefer to choose the first idea. I think the easiest way to change the souces.list file, install and remove the file or replace it with a new one would be using envsubst.

https://www.gnu.org/software/gettext/manual/html_node/envsubst-Invocation.html

This is not the complete tested solution, just an example to demonstrate the idea:

RUN instruction in the Dockerfile

RUN install.sh
COPY public-sources.list /etc/apt/sources.list

install.sh

#/bin/bash

set -eu -o pipefail

envsubst < /etc/apt/sources.list.tpl > /etc/apt/sources.list
apt-get update
apt-get install ....
unlink /etc/apt/sources.list

/etc/apt/sources.list.tpl

deb https://${REPO_USER}:${REPO_PASS}/....

The challenge is with the large group of development teams using this approach, It is not possible to verify all the docker files that they are removing the credential after the use.

Now that you mention it I realized I forgot to mention an other and probably better idea. You can use buildkit to mount a sources.list file from the host only during build.

This does not mention the “bind” mount but you can find an example of the Dockerfile of Compose v2:

But there is no guarantee that everyone will use that without leaving a secret in one of the layers but that is the responsibility of the developers if you really need a private repository without using a proxy to handle the credentials. You could try to find or create a tool that searches for secrets in the sources.list in every layer before publishing the image in the registry.