SSH

Passing secrets (keys, passwords, tokens) to docker run/build - which is safer?

Conditions:
- there are projects with dependency managers (composer, npm)
- some dependencies are in private repositories with ssh access
- there are passwords / access tokens to external services (DBMS for example)
- the build is launched from a linux user whose home directory contains the required key
- the container is launched from a linux user whose environment variables contain the required password
- both the build and the launch of the container take place on a remote machine (DOCKER_HOST, etc. are configured)
Required:
a) build images in the Dockerfile that have dependency installation commands like {composer|npm} install from private git/composer/npm repositories
b) start containers with password passing to them
c) images should not contain traces of the key / password
d) there should not be traces of the key / password in the environment variables of the running container (daemon as a rule), the password should be in a local (not volum) file that dies with the container
All methods, those found in the Docker documentation that can pass a value or a file are either marked in the documentation as unsafe, or only work with the local daemon, not the remote one. As a temporary solution within the framework of the bench network, we pass everything through environment / build variables, but the documentation does not recommend this for production.
Who uses what in practice?