It’s easy to accidentally leak secrets, tokens, and keys into images when building them.

To stay safe, follow these guidelines:

• Use multi-stage builds.
• Use the Docker secrets feature to mount sensitive files without caching them (supported only from Docker 18.04).
• Use a .dockerignore file to avoid a hazardous COPY instruction, which pulls in sensitive files that are part of the build context.