import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem';

Secrets

Dagger has first-class support for "secrets", such as passwords, API keys, SSH keys and so on. These secrets can be securely used in Dagger functions without exposing them in plaintext logs, writing them into the filesystem of containers you're building, or inserting them into the cache.

Here is an example, which uses a secret in a Dagger function chain:

<Tabs groupId="language"> <TabItem value="System shell"> ```shell dagger <<'EOF' container | from alpine:latest | with-secret-variable MY_SECRET env://API_TOKEN | with-exec -- sh -c 'echo this is the secret: $MY_SECRET' | stdout EOF ``` </TabItem> <TabItem value="Dagger Shell"> ```shell title="First type 'dagger' for interactive mode." container | from alpine:latest | with-secret-variable MY_SECRET env://API_TOKEN | with-exec -- sh -c 'echo this is the secret: $MY_SECRET' | stdout ``` </TabItem> <TabItem value="Dagger CLI"> ```shell dagger core container \ from --address=alpine:latest \ with-secret-variable --name="MY_SECRET" --secret="env://API_TOKEN" \ with-exec --args="sh","-c",'echo this is the secret: $MY_SECRET' \ stdout ``` </TabItem> <TabItem value="Go"> ```go file=./snippets/secrets/go/main.go ``` </TabItem> <TabItem value="Python"> ```python file=./snippets/secrets/python/main.py ``` </TabItem> <TabItem value="TypeScript"> ```typescript file=./snippets/secrets/typescript/index.ts ``` </TabItem> </Tabs>

Secret arguments can be sourced from multiple providers: the host environment, the host filesystem, the result of host command execution, and external secret managers 1Password and Vault.

Security considerations

• Dagger automatically scrubs secrets from its various logs and output streams. This ensures that sensitive data does not leak - for example, in the event of a crash.
• Secret plaintext should be handled securely within your Dagger pipeline. For example, you should not write secret plaintext to a file, as it could then be stored in the Dagger cache.