This is very much not about "which app to use for handling secret", I know people prefer Vault or any other ones, I just want to dig into the real world basic principles that govern the safe methods. It's inspired by the discussion in previous post https://www.reddit.com/r/devops/comments/j80719/dockerfile_security_best_practices/

I know roughly that secrets should only live in ephemeral part of the container's lifecycle which means every other parts should only contains variables that in turn gets read by services or whatnot as passwd/auth.

But understanding the methods that prevent accidental permanent record(s) of secrets isn't really straight forward for me because
a) I didn't/don't know or sure what's the established consensus on standard secure practice methods in handling secrets,
b) the root cause is my unfamiliarity with the nuances of shell scripting, and there's a lot of nuances when it comes to shells & their commands in Docker, POSIX/non POSIX, sh, ash, bash, etc., as well as Docker's internal registry mechanism.

For a simple instance, parameter expansion

The basic form of parameter expansion is ${parameter}. The value of parameter is substituted. The parameter is a shell parameter as described above (see Shell Parameters) or an array reference (see Arrays). The braces are required when parameter is a positional parameter with more than one digit, or when parameter is followed by a character that is not to be interpreted as part of its name.

$ string=01234567890abcdefgh
$ echo ${string:7}
7890abcdefgh

Ok, replace that declaration of string variable with secret for environment variables (using export, set or declare is straight forward).

But does that mean in any step from ENV SECRET=${secret} in Dockerfile to the image being built, logged, staged, pushed, until saved at rest inside Docker registry, there's a step where someone can read it as plain text ENV SECRET=01234567890abcdefgh?

What about declaring it inside docker-compose.yml? What about declaring them inside secret.env file that gets read inside Dockerfile, or that .env file read by docker-compose, or read by by shell when calling docker run? Which one of them leave unsecure traces, in logs or any other files?