github-commenter icon indicating copy to clipboard operation
github-commenter copied to clipboard
verified publisher icon cloudposse

Command help can expose sensitive credentials

Open fiadliel opened this issue 5 years ago • 0 comments

If sensitive parameters (e.g. GitHub access token) is passed by environment variable, then the help page includes this information as a "default" value. Sensitive values should not be exposed here, in case a mistake causes the help page to be displayed.

e.g.

...
  -token string
    	Github access token (default "01234567890abcdef")
...
2020/05/07 16:29:56 -sha or GITHUB_COMMIT_SHA required

fiadliel avatar May 07 '20 14:05 fiadliel