-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feat]: Extensibility for the environment attestor #275
Comments
This would be very valuable to have! Some suggestions/options:
@jkjell maybe this could have a feature label. |
One thing for future conversation about this is what to do with environmental variables that modify the behavior of a process. If someone decides to compile a program with |
Agree. I think this is something that all attestors should have. |
Would a PR that protects vars by hidding the value be a good first step? |
@joshdabosh please see the PR and the conversation that is happening there. Curious to hear your thoughts on proposed enhancements there. |
Describe the solution you'd like:
A way to add environment variables to the default denylist, or a way to optionally only attest a specified list of environment variables.
User value:
Some environments may have sensitive information stored in environment variables which are not covered in the denylist now. Using the environment attestor will store them in recoverable plaintext in generated attestations.
Expected behavior:
Environment variables can be selectively denied or allowed to be attested.
Proposed solution:
Add a flag to decide between allowlist / denylist, and another flag to append to either list for later filtering.
Anything else you would like to add:
Testing changes required:
Add tests to make sure environment variables are correctly filtered.
Documentation changes required:
Add flags to the CLI reference and modify the Environment attestor page.
The text was updated successfully, but these errors were encountered: