Docker: Using --password via the CLI is insecure. Use --password-stdin

DockerContinuous IntegrationDockerfile

Docker Problem Overview

I have the following warning when I log in to my registry during a continuous integration (CI) process:

WARNING! Using --password via the CLI is insecure. Use --password-stdin.

Should I just replace --password with --password-stdin?

Docker Solutions

Solution 1 - Docker

According to docker documentation:

> To run the docker login command non-interactively, you can set the > --password-stdin flag to provide a password through STDIN. Using > STDIN prevents the password from ending up in the shell’s history, or > log-files.

The following examples read a password from a file, and passes it to the docker login command using STDIN:

$ cat ~/my_password.txt | docker login --username foo --password-stdin

or

$ docker login --username foo --password-stdin < ~/my_password

The following example reads a password from a variable, and passes it to the docker login command using STDIN:

$ echo "$MY_PASSWORD" | docker login --username foo --password-stdin

Solution 2 - Docker

The same echo command on a Windows based system (or when running in an Azure Pipelines task based on vs2017-win2016) does also output an additional newline.

A workaround for this to use set /p, see also question + answer.

The full command will be like:
echo | set /p="my_password" | docker login --username foo --password-stdin

Solution 3 - Docker

Windows 10 solution using powershell:

Use Notepad to create a one line text file with your password. The file was named "password1.txt" for the command line below to work.
Save this file in the folder you are using in powershell (...typically C:\Users\Your_Username ).

Get-Content password1.txt | docker login --username my_username --password-stdin

Refer: https://stackoverflow.com/questions/11447598/redirecting-standard-input-output-in-windows-powershell/11788475

Solution 4 - Docker

Setup in github actions:

echo ${{ secrets.DOCKER_TOKEN }} | docker login --username ${{ secrets.DOCKER_USERNAME }} --password-stdin

Solution 5 - Docker

This is a warning one commonly gets using AWS. If this is the case, another solution to the problem could be not explicitly running the command so that it gets stored in the history. To do this, one could use (with aws2)

eval $(aws2 ecr get-login --no-include-email)

Even though you will still see the warning, the explicit docker command containing the key/password is not stored in the bash history. If unconvinced, try running the history command to see for yourself.

Categories
Recommended Docker Solutions
Recommended Continuous Integration Solutions
Recommended Dockerfile Solutions

Previous Solution:

Make container widget fill parent vertically

Flutter

Next Solution:

'Build input file cannot be found' Swift 4.2, Xcode 10.0

SwiftXcodeXcode11Xcode10Xcode12

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionDimitri KopriwaView Question on Stackoverflow
Solution 1 - DockernickgrygView Answer on Stackoverflow
Solution 2 - DockerStef HeyenrathView Answer on Stackoverflow
Solution 3 - DockertdsView Answer on Stackoverflow
Solution 4 - DockerJhonny Ramirez ZeballosView Answer on Stackoverflow
Solution 5 - DockermaptoView Answer on Stackoverflow