Below is a reference to the depot CLI, including all config, commands, flags, and options. To submit an issue or features please see our CLI repo over on GitHub.
Some commands need to know which project to route the build to.
For interactive terminals calling build or bake, if don't specify a project, you will be prompted to choose a project when using an interactive prompt and given the option to save that project for future use in a depot.json file.
Alternatively, you can specify the Depot project for any command using any of the following methods:
--project flag with the ID of the project you want to useDEPOT_PROJECT_ID environment variable to the ID of the project you want to useThe Depot CLI supports different authentication mechanisms based on where you're running your build, you can read more about them in our authentication docs.
For the CLI running locally, you can use the depot login command to authenticate with your Depot account, and the depot logout command to log out. This will generate a user token and store it on your local machine. We recommended only using this option when running builds locally.
When using the CLI in a CI environment like GitHub Actions, we recommended configuring your workflows to leverage our OIDC trust relationships. These prevent the need to store user tokens in your CI environment and allow you to authenticate with Depot using your CI provider's identity.
For CI providers that don't support OIDC, we recommended configuring your CI environment to use a project token.
--token flagA variety of Depot CLI calls accept a --token flag, which allows you to specify a user or project token to use for the command. If no token is specified, the CLI will attempt to use the token stored on your local machine or look for an environment variable called DEPOT_TOKEN.
depot bakeThe bake command allows you to define all of your build targets in a central file, either HCL, JSON, or Compose. You can then pass that file to the bake command and Depot will build all of the target images with all of their options (i.e. platforms, tags, build arguments, etc.).
By default, depot bake will leave the built image in the remote builder cache. If you would like to download the image to your local Docker daemon (for instance, to docker run the result), you can use the --load flag.
Alternatively, to push the image to a remote registry directly from the builder instance, you can use the --push flag.
Example
An example docker-bake.hcl file:
group "default" {
targets = ["original", "db"]
}
target "original" {
dockerfile = "Dockerfile"
platforms = ["linux/amd64", "linux/arm64"]
tags = ["example/app:test"]
}
target "db" {
dockerfile = "Dockerfile.db"
platforms = ["linux/amd64", "linux/arm64"]
tags = ["example/db:test"]
}To build all of the images we just need to call bake:
depot bake -f docker-bake.hclIf you want to build different targets in the bake file with different Depot projects, you can specify the project_id in the target block:
group "default" {
targets = ["original", "db"]
}
target "original" {
dockerfile = "Dockerfile"
platforms = ["linux/amd64", "linux/arm64"]
tags = ["example/app:test"]
project_id = "project-id-1"
}
target "db" {
dockerfile = "Dockerfile.db"
platforms = ["linux/amd64", "linux/arm64"]
tags = ["example/db:test"]
project_id = "project-id-2"
}If you want to build a specific target in the bake file, you can specify it in the bake command:
depot bake -f docker-bake.hcl originalYou can also save all of the targets built in a bake or compose file to the ephemeral registry for later use with the --save flag:
depot bake -f docker-bake.hcl --saveDepot supports using bake to build Docker Compose files.
To use depot bake with a Docker Compose file, you can specify the file with the -f flag:
depot bake -f docker-compose.ymlCompose files have special extensions prefixed with x- to give additional information to the build process.
In this example, the x-bake extension is used to specify the tags for each service and the x-depot extension is used to specify different project IDs for each.
services:
mydb:
build:
dockerfile: ./Dockerfile.db
x-bake:
tags:
- ghcr.io/myorg/mydb:latest
- ghcr.io/myorg/mydb:v1.0.0
x-depot:
project-id: 1234567890
myapp:
build:
dockerfile: ./Dockerfile.app
x-bake:
tags:
- ghcr.io/myorg/myapp:latest
- ghcr.io/myorg/myapp:v1.0.0
x-depot:
project-id: 9876543210bakeThis command accepts all the command line flags as Docker's docker buildx bake command.
| Name | Description |
|---|---|
build-platform | Run builds on this platform ("dynamic", "linux/amd64", "linux/arm64") (default "dynamic") |
file | Build definition file |
help | Show the help doc for bake |
lint | Lint Dockerfiles of targets before the build |
lint-fail-on | Set the lint severity that fails the build ("info", "warn", "error", "none") (default "error") |
load | Shorthand for "--set=*.output=type=docker" |
metadata-file | Write build result metadata to the file |
no-cache | Do not use cache when building the image |
print | Print the options without building |
progress | Set type of progress output ("auto", "plain", "tty"). Use plain to show container output (default "auto") |
project | Depot project ID |
provenance | Shorthand for "--set=*.attest=type=provenance" |
pull | Always attempt to pull all referenced images |
push | Shorthand for "--set=*.output=type=registry" |
save | Saves the build to the Depot ephemeral registry |
sbom | Shorthand for "--set=*.attest=type=sbom" |
sbom-dir | Directory to store SBOM attestations |
set | Override target value (e.g., "targetpattern.key=value") |
token | Depot token (authentication docs) |
depot buildRuns a Docker build using Depot's remote builder infrastructure.
By default, depot build will leave the built image in the remote builder cache. If you would like to download the image to your local Docker daemon (for instance, to docker run the result), you can use the --load flag.
Alternatively, to push the image to a remote registry directly from the builder instance, you can use the --push flag.
Example
# Build remotely
depot build -t repo/image:tag .# Build remotely, download the container locally
depot build -t repo/image:tag . --load# Lint your dockerfile
depot build -t repo/image:tag . --lint# Build remotely, push to a registry
depot build -t repo/image:tag . --pushbuildThis command accepts all the command line flags as Docker's docker buildx build command.
| Name | Description |
|---|---|
add-host | Add a custom host-to-IP mapping (format: "host:ip") |
allow | Allow extra privileged entitlement (e.g., "network.host", "security.insecure") |
attest | Attestation parameters (format: "type=sbom,generator=image") |
build-arg | Set build-time variables |
build-context | Additional build contexts (e.g., name=path) |
build-platform | Run builds on this platform ("dynamic", "linux/amd64", "linux/arm64") (default "dynamic") |
cache-from | External cache sources (e.g., "user/app:cache", "type=local,src=path/to/dir") |
cache-to | Cache export destinations (e.g., "user/app:cache", "type=local,dest=path/to/dir") |
cgroup-parent | Optional parent cgroup for the container |
file | Name of the Dockerfile (default: "PATH/Dockerfile") |
help | Show help doc for build |
iidfile | Write the image ID to the file |
label | Set metadata for an image |
lint | Lint Dockerfile before the build |
lint-fail-on | Set the lint severity that fails the build ("info", "warn", "error", "none") (default "error") |
load | Shorthand for "--output=type=docker" |
metadata-file | Write build result metadata to the file |
network | Set the networking mode for the "RUN" instructions during build (default "default") |
no-cache | Do not use cache when building the image |
no-cache-filter | Do not cache specified stages |
output | Output destination (format: "type=local,dest=path") |
platform | Set target platform for build |
progress | Set type of progress output ("auto", "plain", "tty"). Use plain to show container output (default "auto") |
project | Depot project ID |
provenance | Shortand for "--attest=type=provenance" |
pull | Always attempt to pull all referenced images |
push | Shorthand for "--output=type=registry" |
quiet | Suppress the build output and print image ID on success |
save | Saves the build to the Depot ephemeral registry |
sbom | Shorthand for "--attest=type=sbom" |
sbom-dir | Directory to store SBOM attestations |
secret | Secret to expose to the build (format: "id=mysecret[,src=/local/secret]") |
shm-size | Size of "/dev/shm" |
ssh | SSH agent socket or keys to expose to the build |
tag | Name and optionally a tag (format: "name:tag") |
target | Set the target build stage to build |
token | Depot token |
ulimit | Ulimit options (default []) |
depot cacheInteract with the cache associated with a Depot project. The cache command consists of subcommands for each operation.
depot cache resetReset the cache of the Depot project to force a new empty cache volume to be created.
Example
Reset the cache of the current project ID in the root depot.json
depot cache reset .Reset the cache of a specific project ID
depot cache reset --project 12345678910depot configure-dockerConfigure Docker to use Depot's remote builder infrastructure. This command installs Depot as a Docker CLI plugin (i.e., docker depot ...), sets the Depot plugin as the default Docker builder (i.e., docker build), and activates a buildx driver (i.e. docker buildx buildx ...).
depot configure-dockerIf you want to uninstall the plugin, you can specify the --uninstall flag.
depot configure-docker --uninstalldepot listInteract with Depot builds.
depot list buildsDisplay the latest Depot builds for a project. By default the command runs an interactive listing of depot builds showing status and build duration.
To exit type q or ctrl+c
Example
List builds for the project in the current directory.
depot list buildsExample
List builds for a specific project ID
depot list builds --project 12345678910Example
The list command can output build information to stdout with the --output option. It supports json and csv.
Output builds in JSON for the project in the current directory.
depot list builds --output jsondepot initInitialize an existing Depot project in the current directory. The CLI will display an interactive list of your Depot projects for you to choose from, then write a depot.json file in the current directory with the contents {"id": "PROJECT_ID"}.
Example
depot initdepot loginAuthenticates with your Depot account, automatically creating and storing a user token on your local machine.
Example
depot logindepot logoutLogout out of your Depot account, removing your user token from your local machine.
Example
depot logoutdepot projects createCreate a new project in your Depot organization.
depot projects create "your-project-name"Projects will be created with the default region us-east-1 and cache storage policy of 50 GB per architecture. You can specify a different region and cache storage policy using the --region and --cache-storage-policy flags.
depot projects create --region eu-central-1 --cache-storage-policy 100 "your-project-name"If you are in more than one organization, you can specify the ID of the organization you want the project to be created in using the --organization flag.
depot projects create ---organization 12345678910 "your-project-name"createAdditional flags that can be used with this command.
| Name | Description |
|---|---|
platform | Pulls image for specific platform ("linux/amd64", "linux/arm64") |
organization | Depot organization ID |
region | Build data will be stored in the chosen region (default "us-east-1") |
cache-storage-policy | Build cache to keep per architecture in GB (default 50) |
token | Depot token |
depot projects listDisplay an interactive listing of current Depot projects. Selecting a specific project will display the latest builds.
To return from the latest builds to projects, press ESC.
To exit type q or ctrl+c
Example
depot list projectsdepot pullPull an image from the ephemeral registry by build ID in a project.
Example
depot pull --project <project-id> <build-id>You can also specify the tag to assign to the image using the -t flag.
Example
depot pull --project <project-id> -t <image-name>:<tag> <build-id>There is also the option to pull an image for a specific platform.
depot pull --project <project-id> --platform linux/arm64 <build-id>pullAdditional flags that can be used with this command.
| Name | Description |
|---|---|
platform | Pulls image for specific platform ("linux/amd64", "linux/arm64") |
progress | Set type of progress output ("auto", "plain", "tty", "quiet") (default "auto") |
project | Depot project ID |
tag | Optional tags to apply to the image |
token | Depot token |
depot pull-tokenGenerate a short-lived token to pull an image from the ephemeral registry.
Example
depot pull-token --project <project-id>You can also specify a build ID to generate a token for a specific build.
Example
depot pull-token --project <project-id> <build-id>pull-tokenAdditional flags that can be used with this command.
| Name | Description |
|---|---|
project | Depot project ID |
token | Depot token |
depot pushPush an image from the ephemeral registry to a remote registry. It uses registry credentials stored in Docker when pushing to registries. If you have not already authenticated with your registry, you should do so with docker login before running depot push.
Example
depot push --project <project-id> <build-id>You can also specify the tag to assign to the image that is being pushed by using the -t flag.
Example
depot push --project <project-id> -t <image-name>:<tag> <build-id>pushAdditional flags that can be used with this command.
| Name | Description |
|---|---|
progress | Set type of progress output ("auto", "plain", "tty", "quiet") (default "auto") |
project | Depot project ID |
tag | Optional tags to apply to the image |
token | Depot token |