This confused me as well. I didn't know that there was the ENV command for dockerfiles. It never occurred to me that someone would want to use that, and certainly not to put a secret in a plaintext dockerfile.

Seems such an obvious tip first up that it put me off reading the rest of the article.