Nextflow secrets
#4623
Replies: 1 comment 2 replies
-
|
Not sure this is accurate. When using the local or a batch scheduler executor, the secrets are propagated in the container environment only using the secret name e.g. |
Beta Was this translation helpful? Give feedback.
2 replies
-
|
I noticed that using Nextflow version 23.04.4 the secret is provided via |
Beta Was this translation helpful? Give feedback.
-
|
Weird. I don't remember recent changes a this regard |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
I've observed that Nextflow's secrets feature exposes secrets directly as environment variables to the Docker container ( e.g.:
-e variable=secret). This practice raises concerns about potential security vulnerabilities, as sensitive information could be inadvertently exposed to users through tools like top or htop.While I understand that Docker requires root privileges for full functionality, which may not be suitable for shared VM/HPC environments, I would like to seek your insights on this issue. Should Nextflow pipeline maintainers explicitly declare in the pipeline repository when they employ the secrets feature to alert users of the potential risks?
In my current setup, I utilize Docker on virtual machines within cloud environments with single-user access. However, I'm curious about the security implications of this approach on other host setups with Docker installed.
Thank you for your attention to this matter.
Beta Was this translation helpful? Give feedback.
All reactions