Commit fc4a6ad
fix(security): write generated secrets to a 0600 file instead of stdout
CodeQL flagged py/clear-text-logging-sensitive-data on generate-secrets.py:
_print_secret printed each freshly-generated secret value straight to
stdout, which can land in terminal scrollback, screen-recording tools, or
shared sessions.
Values now go to .generated.secrets.env (mode 0600, truncated at the start
of each run so stale secrets from a prior invocation never linger),
gitignored so it can never be committed. Only the env var name and a
"wrote to <path>" confirmation print to stdout.
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>1 parent 86db5e3 commit fc4a6ad
2 files changed
Lines changed: 25 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
135 | 135 | | |
136 | 136 | | |
137 | 137 | | |
| 138 | + | |
| 139 | + | |
| 140 | + | |
138 | 141 | | |
139 | 142 | | |
140 | 143 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
16 | 16 | | |
17 | 17 | | |
18 | 18 | | |
| 19 | + | |
19 | 20 | | |
20 | 21 | | |
21 | 22 | | |
| |||
78 | 79 | | |
79 | 80 | | |
80 | 81 | | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
81 | 99 | | |
82 | 100 | | |
83 | 101 | | |
| |||
142 | 160 | | |
143 | 161 | | |
144 | 162 | | |
145 | | - | |
| 163 | + | |
| 164 | + | |
146 | 165 | | |
147 | 166 | | |
148 | 167 | | |
149 | 168 | | |
150 | 169 | | |
151 | 170 | | |
152 | 171 | | |
153 | | - | |
| 172 | + | |
| 173 | + | |
154 | 174 | | |
155 | 175 | | |
156 | 176 | | |
| |||
0 commit comments