• Stars
    star
    105
  • Rank 328,196 (Top 7 %)
  • Language
    Go
  • License
    MIT License
  • Created almost 4 years ago
  • Updated over 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Friends don't let friends leak secrets on their terminal window πŸ™ˆ

senv - safer env

ci

Friends don't let friends leak secrets in terminal windows.

πŸ“Ί Print your environment to the terminal without worry, even in recorded Zoom sessions
πŸ™ˆ Execute commands and block snooping your secrets
πŸ’» Start an interactive shell with non-sensitive environment variables
🐳 Use senv with Docker to ensure nothing inside the container is snooping around
#️⃣ Copy senv to /usr/bin and use /usr/bin/senv in your shebang lines to ensure no secret leaks

Quick Start

You can install senv with homebrew:

$ brew tap spectralops/tap && brew install senv

Print env

Use it just like env. Now you can print your environment in Zoom sessions πŸ˜„

$ senv

Execute command

Using senv before your command ensures no environment variable you don't want will be transferred to the binary that will run:

$ senv my-binary --myopts todo.txt

A more secure shebang

Place senv in /usr/bin/senv, and now you run safe, like so:

#!/usr/bin/senv node

console.log("hello, world")

Options

$ senv --help
Arguments:
  [<cmd> ...]    Command to execute

Flags:
  -h, --help      Show context-sensitive help.
      --info      Show information
      --create    Create global config
      --config    Path to config file

The redaction list

Redactions are simply names of sensitive keys, or regular expressions of keys. Any of these is good:

GITHUB_TOKEN
.*_TOKEN

You can can submit a pull request if this is a popular key, or add to your own global configuration if you like to do things in a different but specific way.

Adding your own redactions

You can easily make your own custom redaction list. Create it:

$ senv --create
Wrote config to ~/.senv.yaml

Now you can add to your .senv.yaml:

# ~/.senv.yaml

redact:
- MY_SECRET_TOKEN

MY_SECRET_TOKEN will now be removed from the environment, in addition to the set of redaction senv already performs. If you like to start from scratch and redact only your own list:

# ~/.senv.yaml

no_defaults: true
redact:
- MY_SECRET_TOKEN

Use as a library

You can use senv as a library in the following way:

import (
	"github.com/spectralops/senv/pkg"
)
senv := pkg.Senv{
  Cmd: []string{ "my-cmd", "arg1" }
}
senv.Init()
senv.Clean() // from this point your env is clean

// you can also use:
// senv.Print()
// senv.Exec()

Contributing a default redaction

Default redactions are placed at pkg/redact.go. Please feel free to add a default and submit a PR if:

  • It is well-known
  • Generic enough, and not an edge-case

After adding a redaction, run & update tests if needed:

$ make test

Thanks:

To all Contributors - you make this happen, thanks!

Copyright

Copyright (c) 2021 @jondot. See LICENSE for further details.

More Repositories

1

teller

A secrets management tool for developers built in Go - never leave your command line for secrets.
Go
813
star
2

netz

Discover internet-wide misconfigurations while drinking coffee
Go
389
star
3

keyscope

Keyscope is a key and secret workflow (validation, invalidation, etc.) tool built in Rust
Rust
386
star
4

preflight

preflight helps you verify scripts and executables to mitigate chain of supply attacks such as the recent Codecov hack.
Go
153
star
5

awesome-secure-saas-apis

A catalog of SaaS APIs and their security levels, compliance, and regulation like GDPR, ISO27001, PCI and others
122
star
6

rust-ci-release-template

A Github Actions based CI release template for Rust binaries
Rust
78
star
7

helm-teller

Allows you to manage configuration and secrets from multiple provider while masking the secrets at the deployment
Go
39
star
8

service-policy-kit

service_policy_kit is a Rust based toolkit for verifying HTTP services against policies.
Rust
21
star
9

vscode-extension

Monitor your code for exposed API keys, tokens, credentials, and high-risk security IaC misconfigurations
TypeScript
18
star
10

spectral-github-action

Spectral Security Integration into your Github Actions pipeline
JavaScript
14
star
11

lightscreen

A configurable and flexible admission controller toolkit for Kubernetes built in Go and extensible with Go.
Go
13
star
12

github-scopes-rs

Discover GitHub token scope permission and return you an easy interface for checking token permission before querying GitHub.
Rust
12
star
13

spectral-terraform-lambda-integration

Terraform configuration used to create the required AWS resources for integrating between Spectral and external service providers.
HCL
10
star
14

spectral-goat

Vulnerable by design testbed repository for Spectral scanner.
Jupyter Notebook
6
star
15

spectral-pre-commit

Spectral pre-commit.com Hooks
4
star
16

deep-unpack

πŸ“¦ Unpack deep archive files recursively over a file tree or a folder
Rust
4
star
17

setup-teller-action

Easily set up Teller in your CI jobs
JavaScript
3
star
18

spectral-example-github-actions

Spectral With Github Workflows
Ruby
2
star
19

spectral-orb

Spectral Security Integration into your CircleCI pipeline
1
star
20

spectral-example-pre-commit

Example for using pre-commit.com With Spectral pre-commit hooks
1
star
21

spectral-example-json-output

Spectral With JSON Output
Ruby
1
star
22

setup-preflight-action

Github action for setting up Preflight
JavaScript
1
star