Build variables

Table of contents

In Docker Build, build arguments (ARG) and environment variables (ENV) both serve as a means to pass information into the build process. You can use them to parameterize the build, allowing for more flexible and configurable builds.

Warning

Build arguments and environment variables are inappropriate for passing secrets to your build, because they're exposed in the final image. Instead, use secret mounts or SSH mounts, which expose secrets to your builds securely.

See Build secrets for more information.

Similarities and differences

Build arguments and environment variables are similar. They're both declared in the Dockerfile and can be set using flags for the docker build command. Both can be used to parametrize the build. But they each serve a distinct purpose.

Build arguments

Build arguments are variables for the Dockerfile itself. Use them to parametrize values of Dockerfile instructions. For example, you might use a build argument to specify the version of a dependency to install.

Build arguments have no effect on the build unless it's used in an instruction. They're not accessible or present in containers instantiated from the image unless explicitly passed through from the Dockerfile into the image filesystem or configuration. They may persist in the image metadata, as provenance attestations and in the image history, which is why they're not suitable for holding secrets.

They make Dockerfiles more flexible, and easier to maintain.

For an example on how you can use build arguments, see ARG usage example.

Environment variables

Environment variables are passed through to the build execution environment, and persist in containers instantiated from the image.

Environment variables are primarily used to:

  • Configure the execution environment for builds
  • Set default environment variables for containers

Environment variables, if set, can directly influence the execution of your build, and the behavior or configuration of the application.

You can't override or set an environment variable at build-time. Values for environment variables must be declared in the Dockerfile. You can combine environment variables and build arguments to allow environment variables to be configured at build-time.

For an example on how to use environment variables for configuring builds, see ENV usage example.

ARG usage example

Build arguments are commonly used to specify versions of components, such as image variants or package versions, used in a build.

Specifying versions as build arguments lets build with different versions without having to manually update the Dockerfile. It also makes it easier to maintain the Dockerfile, since it lets you declare versions at the top of the file.

Build arguments can also be a way to reuse a value in multiple places. For example, if you use multiple flavors of alpine in your build, you can ensure you're using the same version of alpine everywhere:

  • golang:1.22-alpine${ALPINE_VERSION}
  • python:3.12-alpine${ALPINE_VERSION}
  • nginx:1-alpine${ALPINE_VERSION}

The following example defines the version of node and alpine using build arguments.

# syntax=docker/dockerfile:1

ARG NODE_VERSION="20"
ARG ALPINE_VERSION="3.19"

FROM node:${NODE_VERSION}-alpine${ALPINE_VERSION} AS base
WORKDIR /src

FROM base AS build
COPY package*.json ./
RUN npm ci
RUN npm run build

FROM base AS production
COPY package*.json ./
RUN npm ci --omit=dev && npm cache clean --force
COPY --from=build /src/dist/ .
CMD ["node", "app.js"]

In this case, the build arguments have default values. Specifying their values when you invoke a build is optional. To override the defaults, you would use the --build-arg CLI flag:

$ docker build --build-arg NODE_VERSION=current .

For more information on how to use build arguments, refer to:

ENV usage example

Declaring an environment variable with ENV makes the variable available to all subsequent instructions in the build stage. The following example shows an example setting NODE_ENV to production before installing JavaScript dependencies with npm. Setting the variable makes npm omits packages needed only for local development.

# syntax=docker/dockerfile:1

FROM node:20
WORKDIR /app
COPY package*.json ./
ENV NODE_ENV=production
RUN npm ci && npm cache clean --force
COPY . .
CMD ["node", "app.js"]

Environment variables aren't configurable at build-time by default. If you want to change the value of an ENV at build-time, you can combine environment variables and build arguments:

# syntax=docker/dockerfile:1

FROM node:20
ARG NODE_ENV=production
ENV NODE_ENV=$NODE_ENV
WORKDIR /app
COPY package*.json ./
RUN npm ci && npm cache clean --force
COPY . .
CMD ["node", "app.js"]

With this Dockerfile, you can use --build-arg to override the default value of ENV:

$ docker build --build-arg NODE_ENV=development .

Note that, because the environment variables you set persist in containers, using them can lead to unintended side-effects for the application's runtime.

For more information on how to use environment variables in builds, refer to:

Scoping

Build arguments declared in the global scope of a Dockerfile aren't automatically inherited into the build stages. They're only accessible in the global scope.

# syntax=docker/dockerfile:1

# The following build argument is declared in the global scope:
ARG NAME="joe"

FROM alpine
# The following instruction doesn't have access to the $NAME build argument
# because the argument was defined in the global scope, not for this stage.
RUN echo "hello ${NAME}!"

The echo command in this example evaluates to hello ! because the value of the NAME build argument is out of scope. To inherit global build arguments into a stage, you must consume them:

# syntax=docker/dockerfile:1

# Declare the build argument in the global scope
ARG NAME="joe"

FROM alpine
# Consume the build argument in the build stage
ARG NAME
RUN echo $NAME

Once a build argument is declared or consumed in a stage, it's automatically inherited by child stages.

# syntax=docker/dockerfile:1
FROM alpine AS base
# Declare the build argument in the build stage
ARG NAME="joe"

# Create a new stage based on "base"
FROM base AS build
# The NAME build argument is available here
# since it's declared in a parent stage
RUN echo "hello $NAME!"

The following diagram further exemplifies how build argument and environment variable inheritance works for multi-stage builds.

Pre-defined build arguments

This section describes pre-defined build arguments available to all builds by default.

Multi-platform build arguments

Multi-platform build arguments describe the build and target platforms for the build.

The build platform is the operating system, architecture, and platform variant of the host system where the builder (the BuildKit daemon) is running.

  • BUILDPLATFORM
  • BUILDOS
  • BUILDARCH
  • BUILDVARIANT

The target platform arguments hold the same values for the target platforms for the build, specified using the --platform flag for the docker build command.

  • TARGETPLATFORM
  • TARGETOS
  • TARGETARCH
  • TARGETVARIANT

These arguments are useful for doing cross-compilation in multi-platform builds. They're available in the global scope of the Dockerfile, but they aren't automatically inherited by build stages. To use them inside stage, you must declare them:

# syntax=docker/dockerfile:1

# Pre-defined build arguments are available in the global scope
FROM --platform=$BUILDPLATFORM golang
# To inherit them to a stage, declare them with ARG
ARG TARGETOS
RUN GOOS=$TARGETOS go build -o ./exe .

For more information about multi-platform build arguments, refer to Multi-platform arguments

Proxy arguments

Proxy build arguments let you specify proxies to use for your build. You don't need to declare or reference these arguments in the Dockerfile. Specifying a proxy with --build-arg is enough to make your build use the proxy.

Proxy arguments are automatically excluded from the build cache and the output of docker history by default. If you do reference the arguments in your Dockerfile, the proxy configuration ends up in the build cache.

The builder respects the following proxy build arguments. The variables are case insensitive.

  • HTTP_PROXY
  • HTTPS_PROXY
  • FTP_PROXY
  • NO_PROXY
  • ALL_PROXY

To configure a proxy for your build:

$ docker build --build-arg HTTP_PROXY=https://my-proxy.example.com .

For more information about proxy build arguments, refer to Proxy arguments.

Build tool configuration variables

The following environment variables enable, disable, or change the behavior of Buildx and BuildKit. Note that these variables aren't used to configure the build container; they aren't available inside the build and they have no relation to the ENV instruction. They're used to configure the Buildx client, or the BuildKit daemon.

VariableTypeDescription
BUILDKIT_COLORSStringConfigure text color for the terminal output.
BUILDKIT_HOSTStringSpecify host to use for remote builders.
BUILDKIT_PROGRESSStringConfigure type of progress output.
BUILDKIT_TTY_LOG_LINESStringNumber of log lines (for active steps in tty mode).
BUILDX_BAKE_GIT_AUTH_HEADERStringHTTP authentication scheme for remote Bake files.
BUILDX_BAKE_GIT_AUTH_TOKENStringHTTP authentication token for remote Bake files.
BUILDX_BAKE_GIT_SSHStringSSH authentication for remote Bake files.
BUILDX_BUILDERStringSpecify the builder instance to use.
BUILDX_CONFIGStringSpecify location for configuration, state, and logs.
BUILDX_EXPERIMENTALBooleanTurn on experimental features.
BUILDX_GIT_CHECK_DIRTYBooleanEnable dirty Git checkout detection.
BUILDX_GIT_INFOBooleanRemove Git information in provenance attestations.
BUILDX_GIT_LABELSString | BooleanAdd Git provenance labels to images.
BUILDX_NO_DEFAULT_ATTESTATIONSBooleanTurn off default provenance attestations.
BUILDX_NO_DEFAULT_LOADBooleanTurn off loading images to image store by default.
EXPERIMENTAL_BUILDKIT_SOURCE_POLICYStringSpecify a BuildKit source policy file.

BuildKit also supports a few additional configuration parameters. Refer to BuildKit built-in build args.

You can express Boolean values for environment variables in different ways. For example, true, 1, and T all evaluate to true. Evaluation is done using the strconv.ParseBool function in the Go standard library. See the reference documentation for details.

BUILDKIT_COLORS

Changes the colors of the terminal output. Set BUILDKIT_COLORS to a CSV string in the following format:

$ export BUILDKIT_COLORS="run=123,20,245:error=yellow:cancel=blue:warning=white"

Color values can be any valid RGB hex code, or one of the BuildKit predefined colors.

Setting NO_COLOR to anything turns off colorized output, as recommended by no-color.org.

BUILDKIT_HOST

You use the BUILDKIT_HOST to specify the address of a BuildKit daemon to use as a remote builder. This is the same as specifying the address as a positional argument to docker buildx create.

Usage:

$ export BUILDKIT_HOST=tcp://localhost:1234
$ docker buildx create --name=remote --driver=remote

If you specify both the BUILDKIT_HOST environment variable and a positional argument, the argument takes priority.

BUILDKIT_PROGRESS

Sets the type of the BuildKit progress output. Valid values are:

  • auto (default)
  • plain
  • tty
  • rawjson

Usage:

$ export BUILDKIT_PROGRESS=plain

BUILDKIT_TTY_LOG_LINES

You can change how many log lines are visible for active steps in tty mode by setting BUILDKIT_TTY_LOG_LINES to a number (default to 6).

$ export BUILDKIT_TTY_LOG_LINES=8

EXPERIMENTAL_BUILDKIT_SOURCE_POLICY

Lets you specify a BuildKit source policy file for creating reproducible builds with pinned dependencies.

$ export EXPERIMENTAL_BUILDKIT_SOURCE_POLICY=./policy.json

Example:

{
  "rules": [
    {
      "action": "CONVERT",
      "selector": {
        "identifier": "docker-image://docker.io/library/alpine:latest"
      },
      "updates": {
        "identifier": "docker-image://docker.io/library/alpine:latest@sha256:4edbd2beb5f78b1014028f4fbb99f3237d9561100b6881aabbf5acce2c4f9454"
      }
    },
    {
      "action": "CONVERT",
      "selector": {
        "identifier": "https://raw.githubusercontent.com/moby/buildkit/v0.10.1/README.md"
      },
      "updates": {
        "attrs": {"http.checksum": "sha256:6e4b94fc270e708e1068be28bd3551dc6917a4fc5a61293d51bb36e6b75c4b53"}
      }
    },
    {
      "action": "DENY",
      "selector": {
        "identifier": "docker-image://docker.io/library/golang*"
      }
    }
  ]
}

BUILDX_BAKE_GIT_AUTH_HEADER

Introduced in Buildx version 0.14.0

Sets the HTTP authentication scheme when using a remote Bake definition in a private Git repository. This is equivalent to the GIT_AUTH_HEADER secret, but facilitates the pre-flight authentication in Bake when loading the remote Bake file. Supported values are bearer (default) and basic.

Usage:

$ export BUILDX_BAKE_GIT_AUTH_HEADER=basic

BUILDX_BAKE_GIT_AUTH_TOKEN

Introduced in Buildx version 0.14.0

Sets the HTTP authentication token when using a remote Bake definition in a private Git repository. This is equivalent to the GIT_AUTH_TOKEN secret, but facilitates the pre-flight authentication in Bake when loading the remote Bake file.

Usage:

$ export BUILDX_BAKE_GIT_AUTH_TOKEN=$(cat git-token.txt)

BUILDX_BAKE_GIT_SSH

Introduced in Buildx version 0.14.0

Lets you specify a list of SSH agent socket filepaths to forward to Bake for authenticating to a Git server when using a remote Bake definition in a private repository. This is similar to SSH mounts for builds, but facilitates the pre-flight authentication in Bake when resolving the build definition.

Setting this environment is typically not necessary, because Bake will use the SSH_AUTH_SOCK agent socket by default. You only need to specify this variable if you want to use a socket with a different filepath. This variable can take multiple paths using a comma-separated string.

Usage:

$ export BUILDX_BAKE_GIT_SSH=/run/foo/listener.sock,~/.creds/ssh.sock

BUILDX_BUILDER

Overrides the configured builder instance. Same as the docker buildx --builder CLI flag.

Usage:

$ export BUILDX_BUILDER=my-builder

BUILDX_CONFIG

You can use BUILDX_CONFIG to specify the directory to use for build configuration, state, and logs. The lookup order for this directory is as follows:

  • $BUILDX_CONFIG
  • $DOCKER_CONFIG/buildx
  • ~/.docker/buildx (default)

Usage:

$ export BUILDX_CONFIG=/usr/local/etc

BUILDX_EXPERIMENTAL

Enables experimental build features.

Usage:

$ export BUILDX_EXPERIMENTAL=1

BUILDX_GIT_CHECK_DIRTY

Introduced in Buildx version 0.10.4

When set to true, checks for dirty state in source control information for provenance attestations.

Usage:

$ export BUILDX_GIT_CHECK_DIRTY=1

BUILDX_GIT_INFO

Introduced in Buildx version 0.10.0

When set to false, removes source control information from provenance attestations.

Usage:

$ export BUILDX_GIT_INFO=0

BUILDX_GIT_LABELS

Introduced in Buildx version 0.10.0

Adds provenance labels, based on Git information, to images that you build. The labels are:

  • com.docker.image.source.entrypoint: Location of the Dockerfile relative to the project root
  • org.opencontainers.image.revision: Git commit revision
  • org.opencontainers.image.source: SSH or HTTPS address of the repository

Example:

  "Labels": {
    "com.docker.image.source.entrypoint": "Dockerfile",
    "org.opencontainers.image.revision": "5734329c6af43c2ae295010778cd308866b95d9b",
    "org.opencontainers.image.source": "git@github.com:foo/bar.git"
  }

Usage:

  • Set BUILDX_GIT_LABELS=1 to include the entrypoint and revision labels.
  • Set BUILDX_GIT_LABELS=full to include all labels.

If the repository is in a dirty state, the revision gets a -dirty suffix.

BUILDX_NO_DEFAULT_ATTESTATIONS

Introduced in Buildx version 0.10.4

By default, BuildKit v0.11 and later adds provenance attestations to images you build. Set BUILDX_NO_DEFAULT_ATTESTATIONS=1 to disable the default provenance attestations.

Usage:

$ export BUILDX_NO_DEFAULT_ATTESTATIONS=1

BUILDX_NO_DEFAULT_LOAD

When you build an image using the docker driver, the image is automatically loaded to the image store when the build finishes. Set BUILDX_NO_DEFAULT_LOAD to disable automatic loading of images to the local container store.

Usage:

$ export BUILDX_NO_DEFAULT_LOAD=1