mig5/enroll
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Activity Actions

Doc updates
All checks were successful
CI / test (push) Successful in 49s
Details
CI / test (almalinux, docker.io/library/almalinux:9, python3.11) (push) Successful in 11m47s
Details
CI / test (debian, docker.io/library/debian:13, python3) (push) Successful in 20m32s
Details
Lint / test (push) Successful in 47s
Details

Browse source
This commit is contained in:
Miguel Jacq 2026-06-22 14:49:56 +10:00
parent ad019f6b09
commit 70525e52d8
Signed by: mig5
GPG key ID: 03906B4110AAD3B8
2 changed files with 3 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -285,6 +285,8 @@ By default, `enroll` does **not** assume how you handle secrets in Ansible. It w
Safe-mode content scanning is intentionally conservative. It treats common assignment-style credential keys as sensitive, including names such as `password`, `client_secret`, `secret_key`, `auth_token`, `api_key`, `aws_access_key_id`, `aws_secret_access_key`, `azure_client_secret`, `GOOGLE_APPLICATION_CREDENTIALS`, and service-account key names.
**IMPORTANT**: Enroll ignores comments in files! If you have commented out *real secrets*, there's still a risk that Enroll could capture that data even without `--dangerous`. If you are in doubt, play it safe: use `--sops` and/or encrypt the output at rest in a way that makes sense to you.
Automatic harvesting of per-user shell dotfiles is also disabled by default, even when those files differ from `/etc/skel`, because `.bashrc`, `.profile`, `.bash_aliases`, and similar files commonly contain exported tokens, credentials, or aliases/functions with embedded secrets. Use `--dangerous` for automatic shell-dotfile capture, or use targeted `--include-path` patterns for narrower safe-mode review.
If you wish to opt in to collecting everything, use `--dangerous` mode, but be aware of what it means: