Skip to content
/ senv Public

Friends don't let friends leak secrets on their terminal window 🙈

License

MIT license
104 stars 6 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

SpectralOps/senv

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.github/workflows
.github/workflows
 
 
media
media
 
 
pkg
pkg
 
 
.gitignore
.gitignore
 
 
.goreleaser.yml
.goreleaser.yml
 
 
LICENSE.txt
LICENSE.txt
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

senv - safer env

ci

Friends don't let friends leak secrets in terminal windows.

📺 Print your environment to the terminal without worry, even in recorded Zoom sessions
🙈 Execute commands and block snooping your secrets
💻 Start an interactive shell with non-sensitive environment variables
🐳 Use senv with Docker to ensure nothing inside the container is snooping around
#️⃣ Copy senv to /usr/bin and use /usr/bin/senv in your shebang lines to ensure no secret leaks

Quick Start

You can install senv with homebrew:

$ brew tap spectralops/tap && brew install senv

Print env

Use it just like env. Now you can print your environment in Zoom sessions 😄

$ senv

Execute command

Using senv before your command ensures no environment variable you don't want will be transferred to the binary that will run:

$ senv my-binary --myopts todo.txt

A more secure shebang

Place senv in /usr/bin/senv, and now you run safe, like so:

#!/usr/bin/senv node

console.log("hello, world")

Options

$ senv --help
Arguments:
  [<cmd> ...]    Command to execute

Flags:
  -h, --help      Show context-sensitive help.
      --info      Show information
      --create    Create global config
      --config    Path to config file

The redaction list

Redactions are simply names of sensitive keys, or regular expressions of keys. Any of these is good:

GITHUB_TOKEN
.*_TOKEN

You can can submit a pull request if this is a popular key, or add to your own global configuration if you like to do things in a different but specific way.

Adding your own redactions

You can easily make your own custom redaction list. Create it:

$ senv --create
Wrote config to ~/.senv.yaml

Now you can add to your .senv.yaml:

# ~/.senv.yaml

redact:
- MY_SECRET_TOKEN

MY_SECRET_TOKEN will now be removed from the environment, in addition to the set of redaction senv already performs. If you like to start from scratch and redact only your own list:

# ~/.senv.yaml

no_defaults: true
redact:
- MY_SECRET_TOKEN

Use as a library

You can use senv as a library in the following way:

import (
	"github.com/spectralops/senv/pkg"
)
senv := pkg.Senv{
  Cmd: []string{ "my-cmd", "arg1" }
}
senv.Init()
senv.Clean() // from this point your env is clean

// you can also use:
// senv.Print()
// senv.Exec()

Contributing a default redaction

Default redactions are placed at pkg/redact.go. Please feel free to add a default and submit a PR if:

  • It is well-known
  • Generic enough, and not an edge-case

After adding a redaction, run & update tests if needed:

$ make test

Thanks:

To all Contributors - you make this happen, thanks!

Copyright

Copyright (c) 2021 @jondot. See LICENSE for further details.

About

Friends don't let friends leak secrets on their terminal window 🙈

Topics

golang security environment-variables security-tools

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

104 stars

Watchers

5 watching

Forks

6 forks
Report repository

Releases 3

v0.7.0 Latest
May 4, 2021
+ 2 releases

Packages

No packages published

Languages