Skip to main content

Secrets

Dagger supports the use of confidential information, such as passwords, API keys, SSH keys, access tokens and so on, in your pipelines. These "secrets" can be passed to Dagger Functions as arguments from host environment variables, the host filesystem or the result of host command execution.

Dagger has built-in safeguards to ensure that secrets are used without exposing them in plaintext logs, writing them into the filesystem of containers you're building, or inserting them into the cache. This ensures that sensitive data does not leak - for example, in the event of a crash.

Here's an example of a pipeline that receives and uses a GitHub personal access token (sourced from the host environment) as a secret:

package main

import (
"context"
"dagger/my-module/internal/dagger"
)

type MyModule struct{}

func (m *MyModule) GithubApi(
ctx context.Context,
token *dagger.Secret,
) (string, error) {
return dag.Container().
From("alpine:3.17").
WithSecretVariable("GITHUB_API_TOKEN", token).
WithExec([]string{"apk", "add", "curl"}).
WithExec([]string{"sh", "-c", `curl "https://api.github.com/repos/dagger/dagger/issues" --header "Accept: application/vnd.github+json" --header "Authorization: Bearer $GITHUB_API_TOKEN"`}).
Stdout(ctx)
}

See it in action:

Secret from environment

Secrets can also be passed using files (shown below) or from command output:

Secret from file

Learn more