I have an old php/laravel project which runs with docker-compose for production. I never had any issues although I am now trying to do some maintenance on it. I have a step in my CircleCI config through which I create a .env file with the variables set in the Environment variables section on the CircleCI dashboard.

some-job:
  steps:
    - checkout
    - run:
        name: Setup .env
        command: |
          echo APP_NAME=${APP_NAME} >> .env
          echo APP_ENV=${APP_ENV} >> .env 

Once this step is done, I’ve got several steps todo like pulling the code from dockerhub and then I deploy it by having yet another step like so:

- run:
    name: Deploy
    command: |
      docker-compose -f docker-compose.live.yml -p project_name up -d

The docker-compose.live.yml on each of my containers points to the .env created in the previous step by the option env_file: .env.

Does this pose any security-related issues? What would be a better alternative?

Source: Laravel