docs(container_registry): Pass Docker credentials in a safer way

Passing the password/token on the command line is insecure and can easily leak, e.g. via the `ps` command line tool. The here-string syntax `<<<$var` avoids this problem. While there fixed language that could be misread as `CI_REGISTRY_PASSWORD` being a short-lived token. According to https://docs.gitlab.com/ee/ci/jobs/ci_job_token.html#gitlab-cicd-job-token-security the token is long-lifed and needs to be protected.

docs(container_registry): Pass Docker credentials in a safer way
8abed57a · Florian Forster · GitLab · b5c9955d · 8abed57a · 8abed57a
--- a/doc/ci/jobs/ci_job_token.md
+++ b/doc/ci/jobs/ci_job_token.md
@@ -51,20 +51,20 @@ You can't use a job token to push to a repository, but [issue 389060](https://gi

 ## GitLab CI/CD job token security

-To make sure that this token doesn't leak, GitLab:
+To prevent the CI/CD job token from leaking, GitLab:

 - Masks the job token in job logs.
 - Grants permissions to the job token only when the job is running.

-To make sure that this token doesn't leak, you should also configure
-your [runners](../runners/index.md) to be secure. Avoid:
+To prevent leaking the deploy token, you should also configure your [runners](../runners/index.md)
+to be secure:

- Using Docker `privileged` mode if the machines are re-used.
- Using the [`shell` executor](https://docs.gitlab.com/runner/executors/shell.html) when jobs
+- Avoid using Docker `privileged` mode if the machines are re-used.
+- Avoid using the [`shell` executor](https://docs.gitlab.com/runner/executors/shell.html) when jobs
  run on the same machine.

-If you have an insecure GitLab Runner configuration, you increase the risk that someone
-tries to steal tokens from other jobs.
+An insecure GitLab Runner configuration increases the risk that someone can steal tokens from other
+jobs.

 ## Configure CI/CD job token access


--- a/doc/user/packages/container_registry/authenticate_with_container_registry.md
+++ b/doc/user/packages/container_registry/authenticate_with_container_registry.md
@@ -21,7 +21,8 @@ All of these authentication methods require the minimum scope:
 To authenticate, run the `docker login` command. For example:

 ```shell
-docker login registry.example.com -u <username> -p <token>
+TOKEN=<token>
+docker login registry.example.com -u <username> --password-stdin <<<$TOKEN
 ```

 ## Use GitLab CI/CD to authenticate
@@ -30,17 +31,17 @@ To use CI/CD to authenticate with the container registry, you can use:

 - The `CI_REGISTRY_USER` CI/CD variable.

-  This variable has read-write access to the container registry and is valid for
-  one job only. Its password is also automatically created and assigned to `CI_REGISTRY_PASSWORD`.
+  This variable holds a per-job user with read-write access to the container registry.
+  Its password is also automatically created and available in `CI_REGISTRY_PASSWORD`.

  ```shell
-  docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+  docker login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin <<<$CI_REGISTRY_PASSWORD
  ```

 - A [CI job token](../../../ci/jobs/ci_job_token.md).

  ```shell
-  docker login -u $CI_REGISTRY_USER -p $CI_JOB_TOKEN $CI_REGISTRY
+  docker login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin <<<$CI_JOB_TOKEN
  ```

 - A [deploy token](../../project/deploy_tokens/index.md#gitlab-deploy-token) with the minimum scope of:
@@ -48,7 +49,7 @@ To use CI/CD to authenticate with the container registry, you can use:
  - For write (push) access, `write_registry`.

  ```shell
-  docker login -u $CI_DEPLOY_USER -p $CI_DEPLOY_PASSWORD $CI_REGISTRY
+  docker login $CI_REGISTRY -u $CI_DEPLOY_USER --password-stdin <<<$CI_DEPLOY_PASSWORD
  ```

 - A [personal access token](../../profile/personal_access_tokens.md) with the minimum scope of:
@@ -56,5 +57,5 @@ To use CI/CD to authenticate with the container registry, you can use:
  - For write (push) access, `write_registry`.

  ```shell
-  docker login -u <username> -p <access_token> $CI_REGISTRY
+  docker login $CI_REGISTRY -u <username> -p <access_token>
  ```
--- a/doc/user/project/deploy_tokens/index.md
+++ b/doc/user/project/deploy_tokens/index.md
@@ -67,7 +67,7 @@ use in a CI/CD pipeline:
 For example, to use a GitLab token to log in to your GitLab container registry:

 ```shell
-docker login -u $CI_DEPLOY_USER -p $CI_DEPLOY_PASSWORD $CI_REGISTRY
+docker login $CI_REGISTRY -u $CI_DEPLOY_USER --password-stdin <<<$CI_DEPLOY_PASSWORD
 ```

 NOTE:
@@ -76,6 +76,20 @@ work for group deploy tokens. To make a group deploy token available for CI/CD j
 `CI_DEPLOY_USER` and `CI_DEPLOY_PASSWORD` CI/CD variables in **Settings > CI/CD > Variables** to the
 name and token of the group deploy token.

+### GitLab deploy token security
+
+GitLab deploy tokens are long-lived, making them attractive for attackers.
+
+To prevent leaking the deploy token, you should also configure your
+[runners](../../../ci/runners/index.md) to be secure:
+
+- Avoid using Docker `privileged` mode if the machines are re-used.
+- Avoid using the [`shell` executor](https://docs.gitlab.com/runner/executors/shell.html) when jobs
+  run on the same machine.
+
+An insecure GitLab Runner configuration increases the risk that someone can steal tokens from other
+jobs.
+
 ### GitLab public API

 Deploy tokens can't be used with the GitLab public API. However, you can use deploy tokens with some