Secrets such as passwords and SSH keys must not be stored in environment variables. Basically, environment variables are often stored (unencrypted) in logs and displayed when an error occurs.
The Docker security team recently published a post explaining why storing secrets in env variables should be avoided: https://diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/
They also released a tool to manage secrets.

Flex actually uses environment variables to store secrets (ex: the Doctrine recipe). It should use files or a system similar to the one introduced by Docker instead.