In many projects, developers store API keys, tokens, and DB credentials in .env files. While convenient, this approach poses serious security risks – especially if those files accidentally get baked into Docker images or committed to version control.
Instead, consider more secure and scalable alternatives:
GitLab CI/CD Environment Variables
Store secrets directly in GitLab under Settings → CI/CD → Variables. At runtime, inject them into your Docker containers using the environment key in your docker-compose.yml or via the —env flag.
Docker Secrets (Swarm Mode)
For production setups using Docker Swarm, Docker secrets provide a secure way to inject sensitive data into containers. Secrets are mounted at runtime (e.g., /run/secrets/) and never baked into images.
Minimal approaches like docker-keys
For lighter setups, you can skip .env files altogether and feed environment variables directly from your CI/CD pipeline into Docker during build or run time. Clean, safe, and version-control free.
Never bake secrets into Docker images or commit .env files to Git!
Secrets management is just as important as clean code. Let’s treat it like a first-class citizen in our DevOps practices.