Skip to main content

Use Dagger with Private Git Repositories

Dagger recommends you to rely on your host's SSH authentication agent to securely authenticate against private remote Git repositories.

To clone private repositories, the only requirements are to run ssh-add on the Dagger host (to add your SSH key to the authentication agent), and mount its socket using the SSHAuthSocket parameter of the (Dagger.GitRef).Tree API.

Assume that you have a Dagger CI tool containing the following code, which references a private repository:

package main

import (


func main() {
ctx := context.Background()
client, err := dagger.Connect(ctx)
if err != nil {
defer client.Close()

// Retrieve path of authentication agent socket from host
sshAgentPath := os.Getenv("SSH_AUTH_SOCK")

// Private repository with a file at the root.
readme, err := client.
Git("git@private-repository.git", dagger.GitOpts{
SSHAuthSocket: client.Host().UnixSocket(sshAgentPath),

if err != nil {

fmt.Println("readme", readme)

Now, first remove all the SSH keys from the authentication agent on the Dagger host:

➜  ssh-add -D
All identities removed.

Attempt to run the CI tool:

➜  dagger run go run .
panic: input:1: git.branch.tree.file.contents failed to load cache key: failed to fetch remote
exit status 128

The CI tool fails, as it is unable to find the necessary authentication credentials to read the private repository in the SSH authentication agent.

Now, add the SSH key to the authentication agent on the host and try again:

➜ ssh-add
Identity added: xxxxx
dagger run go run .
readme #

Finally, the CI tool succeeds in reading the private Git repository.