What is the purpose of Docker’s BuildKit secret mount (RUN –mount=type=secret) and how does it improve security over ARG or ENV?

Question

Docker Fundamentals — Hard

What is the purpose of Docker’s BuildKit secret mount (RUN –mount=type=secret) and how does it improve security over ARG or ENV?

Accepted Answer

BuildKit secret mounts in Docker allow sensitive data to be used during a specific RUN instruction without being stored in any image layer, enhancing security by preventing secrets from being exposed in the image history. This is a more secure approach compared to using ARG or ENV, which can be extracted from the image history.