It is a common practice to provide CI/CD processes secrets as environment variables. For example, take the GitHub Actions docs sample:
steps:
- shell: pwsh
env:
SUPER_SECRET: ${{ secrets.SuperSecret }}
run: |
example-command "$env:SUPER_SECRET"
Now suppose I want to debug this example-command
locally, using my own SuperSecret
(for example this could be my personal access token to some service). I would have to add something like this to launch.json
:
"type": "PowerShell",
//...
"env": {
"SUPER_SECRET": "MY_REALTOKEN_SERCET"
}
This is not ideal, considering my actual secret token is now stored in plaintext on my hard drive - which most likely isn't even encrypted. This can be easily solved by an extension, using the SecretStorage API, and indeed one such extension has been created to address this exact concern: https://marketplace.visualstudio.com/items?itemName=pomdtr.secrets&ssr=false .
The problem is, I'm not going to hand over all my secrets to an extension with a total of ~1,200 installs, one (4-star) review, and 4 GitHub stars - in my book it makes the cure more dangerous than the illness, and I'd rather take my chances with hackers gaining access to my hard drive. Don't get me wrong, the dev looks like a great guy, but I'd need a stronger guarantee for something like this...
The issue here is trust, especially in such a sensitive topic. Perhaps you could work with said extension's developer (@pomdtr) in order to integrate it into the VSCode codebase? I'd reckon this a very common scenario that could benefit from a very easy security gain...
7条答案
按热度按时间jhkqcmku1#
这个扩展将密钥设置为扩展主机进程中的环境变量?这样它们就可以被你安装的每一个扩展使用?
如果你在终端中调试一个PowerShell脚本,那么那个环境变量是如何出现在终端进程中的?
u1ehiz5o2#
这个扩展将密钥设置为扩展主机进程中的环境变量?这样它们就可以被你安装的每一个扩展使用?
如果你在终端中调试一个PowerShell脚本,那么这个环境变量是如何出现在终端进程中的?
正如你在 gif demo 中所看到的,环境变量可以在终端进程中使用 - 如果它们没有用的话,那就太没用了 :)
至于实现方式,我相信它使用了
EnvironmentVariableCollection
API,具体来说:https://github.com/pomdtr/vscode-secrets/blob/53f49f123edead64c401f9b9463dab45d9a3ffb7/src/vault.ts#L85C14-L85C14uklbhaso3#
我不确定这是否是最安全的实现方式,老实说,这只是我找到的唯一一个。我认为direnv扩展使用了类似的策略。
mkshixfv4#
我明白了。我想说这基本上是一个终端的功能请求,而不是用于调试,因为vscode无法以通用的方式处理所有调试适配器的工作方式。但是如果你像这里一样在终端中进行调试,它可以获取终端环境变量。
bjp0bcyl5#
我不确定这是否是最安全的实现方式,老实说,这只是我找到的唯一一个。我认为direnv扩展使用了类似的策略。
有趣的是,你有更多的细节链接吗?在https://github.com/direnv/direnv-vscode中找不到关于秘密的信息。
我明白了。我想说这基本上是一个针对终端的功能请求,而不是用于调试,因为vscode无法以通用的方式处理所有调试适配器的工作方式。但是如果你像这里一样在终端中进行调试,它可以获取终端环境变量。
当然,终端调试是可以工作的——应该覆盖大多数常规情况吧?(PowerShell、NodeJS、.NET...)
7ivaypg96#
这个功能请求现在是我们待办事项列表的候选项目。社区有60天的时间对这个问题进行投票。如果它收到20个赞成票,我们将把它移到我们的待办事项列表中。如果没有,我们将关闭它。要了解更多关于我们如何处理功能请求的信息,请参阅我们的documentation。
快乐编码!
gmxoilav7#
🙂 This feature request received a sufficient number of community upvotes and we moved it to our backlog. To learn more about how we handle feature requests, please see our documentation .
Happy Coding!