| ▲ | hjkl_hacker 7 hours ago | |
This doesn’t really fix that it can echo the secrets and read the logs. `enveil run — printenv` | ||
| ▲ | darthwalsh 5 minutes ago | parent | next [-] | |
Jenkins CI has a clever feature where every password it injects will be redacted if printed to stdout; `enveil run` could do that with the wrapped process? Of course that's only a defense against accidents. Nothing prevents encoding base64 or piping to disk. | ||
| ▲ | Datagenerator 7 hours ago | parent | prev [-] | |
Not the author but No, the decryption would ask the secret again? The readme mentions it's wiped from memory after use. | ||