Skip to content

t4943: Add mktemp and trap guidance to secret-as-argument fallback #4951

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
alex-solovyev merged 1 commit into from
Mar 15, 2026
+1 −1
Merged

t4943: Add mktemp and trap guidance to secret-as-argument fallback #4951

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .agents/prompts/build.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -264,7 +264,7 @@ When referencing specific functions or code include the pattern `file_path:line_
- SAFE: `aidevops secret NAME -- cmd` — injects as env var with automatic output redaction
- SAFE: `SSH_AUTH_SOCK=... ssh ...` — env-based auth, no secret in argv
- The subprocess must read the value from its environment (`getenv()` in C/PHP, `process.env` in Node, `os.environ` in Python, `ENV[]` in Ruby), not from `$1`/`argv`.
- When the target program only accepts secrets as arguments (no env var support), write the secret to a temporary file (mode 0600), pass the file path as the argument, and delete the file immediately after. This is a last resort — prefer programs that support env var or stdin input.
- When the target program only accepts secrets as arguments (no env var support), write the secret to a temporary file (e.g., using `mktemp`, with mode 0600), pass the file path as the argument, and ensure the file is deleted immediately after (e.g., using a `trap` command for cleanup on exit or error). This is a last resort — prefer programs that support env var or stdin input.
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Mar 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This guidance can be made more precise for better security and portability.

  • Explicitly mentioning chmod 0600 is more portable than relying on mktemp's mode-setting options, which differ between systems.
  • Clarifying that trap ensures cleanup on script exit (e.g., with the EXIT signal) is more accurate than 'immediately after', as trap's primary benefit is robustness against unexpected termination.
  - When the target program only accepts secrets as arguments (no env var support), write the secret to a temporary file (e.g., using `mktemp` to create it and `chmod 0600` to set permissions), pass the file path as the argument, and ensure robust cleanup on script exit (e.g., using a `trap` command on the `EXIT` signal). This is a last resort — prefer programs that support env var or stdin input.

- For SSH/remote commands: `ssh host "ENV_VAR='value' command"` passes the secret in the remote shell's environment, not as an argument to `ssh` itself. Alternatively, use `ssh -o SendEnv=VAR` with server-side `AcceptEnv` configuration.
#
# 8.3 Post-execution secret detection (t4939, layer 2)
Expand Down
Loading