{"title":"Agent Secrets Injection: Docker","region":"Global","category":"Security","description":"Securely delivering API keys and database credentials to agents without leaking them in logs or images.","lastUpdated":"2026-02-27","steps":["Use `docker secrets` or `docker compose secrets` to mount keys as temporary files.","Prohibit the use of `ARG` or `ENV` for sensitive data to prevent image-layer leaks.","Mount `/run/secrets` as a read-only volume accessible only by the agent process.","Rotate keys automatically; the agent must handle SIGTERM and reload new secrets.","Scrub environment logs to ensure secrets are never echoed in `docker inspect` outputs."],"url":"https://checklist.day/agent-secrets-injection-docker"}