Containerize a golang app using private GitHub repos as import packages

Anurag Dhingra
2 min readJan 29, 2019

What’s the problem?

We do containerize a lot of applications and services every day using docker so what’s the point of this article? The problem starts when you realise how go advises you to import and use GitHub packages. The correct way of importing GitHub or any external package is by using the URL concerning the package except of course those handled by the default go SDK. Now, what if its a private repository that you are importing? Golang as of now doesn’t support a way to handle that. Its a much bigger issue if you have to containerize an app which uses private repo imports.


The workaround I found to the above is basically by changing the default git config to use ssh instead of https and hence go get uses ssh.You can do it as follows:
Add to $HOME/.gitconfig:

[url "ssh://"]
insteadOf =

NOTE: Make sure you can the correct SSH_KEY(generally named as id_rsa) associated with the GitHub account which has the access to the private repo to you are importing.

Steps to follow while containerizing the same application:

  1. Supply the correct SSH_KEY inside the docker build to make sure it can make authenticated requests to fetch your private GitHub imports.
  2. Add the above-shown changes to the .gitconfig file inside your docker env.

All of these above two steps turn into the following chunk of the script that can be added to your Dockerfile directly. Just make sure to supply the -- build-arg SSH_KEY during the build

RUN mkdir -p /root/.ssh && \
echo "$SSH_KEY" > /root/.ssh/id_rsa && \
chmod 0600 /root/.ssh/id_rsa && \
eval `ssh-agent` && \
ssh-add /root/.ssh/id_rsa && \
ssh-keyscan >> /root/.ssh/known_hosts && \
echo "[url \"ssh://\"]\n\tinsteadOf =" >> /root/.gitconfig && \
echo "Host\n\tStrictHostKeyChecking no\n" >> /root/.ssh/config


  • The entire above concept is implemented here -

Just added an additional makefile which takes an optional ssh_key_path in case the user has a custom key path and supplies it during the build.
Using the script to coordinate the containers.


  • The best improvement would surely be if golang gives out some kind of default support for go get over private packages. Is should be possible to add a flag that causes go to clone over ssh (or any other potential future protocol). A flag would be easy to use in CI where necessary and is more easily explained than editing a .gitconfig or .netrc.