command should not accept API key as argument (`--api-key`)

[thaJeztah]

Disclaimer: I don't know how sensitive this information is, but I noticed this while glancing over the plugin's instructions, and this one stood out 😅

The base-cli-plugin currently accepts the API token as an argument on the command-line, which is insecure, as the token would persist in ba(sh) history, can potentially end up in audit logs or in various other ways, and encourages users to include the token scripts.

Some potential alternatives;

1. Ideally, access would be obtained as part of a regular docker login - but I assume this is currently not integrated yet, so not (yet) possible.
2. Provide an interactive login (similar to docker login)
3. Allow passing the token through an environment variable
4. Allow the token to be read from stdin; similar to Password stdin cli#271

Note that

• options 2. - 4. don't have to be mutually exclusive, so could all be supported
• I haven't looked into this option, but it's potentially possible for docker login to authenticate to dso.docker.com, if there's an API endpoint that's compatible with how authentication works for registries; the user could in that case run docker login dso.docker.com, and the CLI would store the credentials under that hostname (allowing the plugin to read back the credentials with that hostname)

[thaJeztah]

/cc @cdupuis

[cdupuis]

Thanks for raising this @thaJeztah.

I'll take a closer look at implementing 2-3.

Re 1. we already have an item on the backlog that would allow us to accept and ultimately trust docker login and other Docker PATs.