5.2.3.3 Private Dependency Access
A focused guide to Private Dependency Access, connecting core concepts with practical Docker and container operations.
Private dependency access refers to the challenge of installing dependencies from sources that require authentication — a private package registry, a private Git repository — during a Docker build, and the secure patterns (secret mounts, SSH mounts) that address this without embedding credentials in the resulting image.
Accessing a Private Package Registry
Installing from an authenticated package registry requires supplying credentials during the install step, which should be done through a secret mount rather than a hardcoded or build-argument-supplied value.
RUN --mount=type=secret,id=npm_token \
npm config set //registry.npmjs.org/:_authToken=$(cat /run/secrets/npm_token) \
&& npm install
docker build --secret id=npm_token,src=./npm_token.txt -t myapp .
Accessing a Private Git Repository
Cloning a private repository as part of a build step requires SSH-based authentication, accomplished through an SSH mount that forwards the host's SSH agent without copying any key into the image.
RUN --mount=type=ssh git clone git@github.com:example/private-deps.git /tmp/deps
docker build --ssh default -t myapp .
Combining Both Mechanisms in the Same Build
A build might need both kinds of private access — a private package registry for some dependencies and a private Git repository for others — both of which can be used together without conflict.
RUN --mount=type=ssh git clone git@github.com:example/internal-lib.git
RUN --mount=type=secret,id=npm_token npm install
Why Secure Private Dependency Access Matters
Many real-world projects depend on at least some privately hosted code or packages, and handling that dependency correctly — without leaking the credentials needed to access it into the resulting image — is essential for keeping both the build process and the final artifact secure.