Setting an environment variable using the ENV instruction creates a new layer in the Docker image. The variable is then persisted for all subsequent build stages and is also present in the resulting image. Calling RUN unset <env-variable> unsets the variable only for this particular layer, but it is still possible to dump the environment variable from the previous layer.

Why is this an issue?

The environment variables often contain secrets, tokens, and other sensitive information. They are present in the containers and could be dumped anytime. Calling unset doesn’t prevent this information from being hidden for other commands.

How to fix it

If an environment variable is needed only during build, this variable should be set and unset in a single RUN instruction.

Code examples

Noncompliant code example

ENV $ADMIN_USER
RUN unset $ADMIN_USER

Compliant solution

RUN export ADMIN_USER="admin" \
    && ... \
    && unset ADMIN_USER

How does this work?

In this example, the visibility of ADMIN_USER is only limited to the single layer. However, it is still possible to extract the value from the image. The best solution is to use ARG instead of ENV or set and unset the variable in the same RUN instruction.

Resources

Documentation

• ENV - Dockerfile reference
• ENV - Best practices for writing Dockerfiles