Remove superfluous warning: X "may be a potentially sensitive environment variable."

Adam2 · July 25, 2023, 5:15am

WARN KEY may be a potentially sensitive environment variable. Consider setting it as a secret, and removing it from the [env] section: https://fly.io/docs/reference/secrets/
 KEY
WARN KEY may be a potentially sensitive environment variable. Consider setting it as a secret, and removing it from the [env] section: https://fly.io/docs/reference/secrets/
 KEY
WARN KEY may be a potentially sensitive environment variable. Consider setting it as a secret, and removing it from the [env] section: https://fly.io/docs/reference/secrets/
 KEY
WARN PRIVATE may be a potentially sensitive environment variable. Consider setting it as a secret, and removing it from the [env] section: https://fly.io/docs/reference/secrets/
 PRIVATE

This is a weird warning for a couple reasons:

I don’t have a variable named KEY or PRIVATE. I have one named AC_APP_KEY and one named PRIVATE_IMAGE_BUCKET.
Neither of those variables is secret.

Is there a way to silence the warning for these variables that I know are safe?
Is there a way to fail my deploy instead of showing a warning if a new potentially sensitive variable is added?

The warning as it stands is noisy FUD, but if it’s given some bite (and actually fails the deploy) and I can explicitly override it when I know it’s safe, then I guess it could be a helpful point of reflection to leave it in. Otherwise, I’d like to just blanketly disable it.

billy · July 25, 2023, 9:26pm

Hi Adam2,
This looks like a bug in the secret detection code of flyctl. This was fixed and should be available in the next release of flyctl (v0.1.66 when it’s actually released).

As of now, there isn’t a way to disable it, but that does seem like a good idea. We should probably implement a work around, something like a --ignore-potential-secrets flag (but named better).

As for why it’s a warning rather than a hard failure, this has false positives as you can see, and introducing a change that can fail CI deployments over a false positive would make some people upset.

Adam2 · July 26, 2023, 12:04am

Thanks billy. --not-secrets=AC_APP_KEY,PRIVATE_IMAGE_BUCKET --on-potential-secrets=fail is a pair of flags I’d use if they were available. That would make the fail opt-in so no one gets upset.

Adam2 · July 31, 2023, 7:30am

Just noticed the fix for the variable names came through to my Github Actions. Thanks!

system · August 7, 2023, 7:31am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cannot add Private Key using flyctl to a environment variable Questions / Help	8	1363	May 8, 2023
Reasoning about environment variables, secrets, and how to be safe	4	1300	August 10, 2020
Environment variables Questions / Help	37	3466	June 8, 2024
Secrets vs. Normal Environment Variables	1	1030	February 24, 2023
How to prevent injection of FLY_ env variables into the container	6	85	January 14, 2025

Remove superfluous warning: X "may be a potentially sensitive environment variable."

Related topics