From 9ebd8ff990b5a8341be64bbd2e73fcab87128f74 Mon Sep 17 00:00:00 2001 From: Miguel Jacq Date: Wed, 17 Dec 2025 19:03:31 +1100 Subject: [PATCH 1/2] remove --out from harvest examples with remote mode, in README --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 8d3e455..cd3bba4 100644 --- a/README.md +++ b/README.md @@ -259,10 +259,10 @@ On the host (root recommended to harvest as much data as possible): ```bash enroll harvest --out /tmp/enroll-harvest ``` -### Remote harvest over SSH (no enroll install required on the remote host) +### Remote harvest over SSH (no enroll install required on the remote host, no need for --out) ```bash -enroll harvest --remote-host myhost.example.com --remote-user myuser --out /tmp/enroll-harvest +enroll harvest --remote-host myhost.example.com --remote-user myuser ``` ### `--dangerous` (captures potentially sensitive files — read the warning above) @@ -274,7 +274,7 @@ enroll harvest --out /tmp/enroll-harvest --dangerous Remote + dangerous: ```bash -enroll harvest --remote-host myhost.example.com --remote-user myuser --out /tmp/enroll-harvest --dangerous +enroll harvest --remote-host myhost.example.com --remote-user myuser --dangerous ``` ### `--sops` (encrypt bundles at rest) From 62ec8e8b1bb7178b8f40574b38b2b6d8c7555780 Mon Sep 17 00:00:00 2001 From: Miguel Jacq Date: Wed, 17 Dec 2025 19:05:07 +1100 Subject: [PATCH 2/2] Silence bandit paranoia on certain lines --- enroll/manifest.py | 2 +- enroll/remote.py | 2 +- enroll/sopsutil.py | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/enroll/manifest.py b/enroll/manifest.py index 09666d4..afb8b88 100644 --- a/enroll/manifest.py +++ b/enroll/manifest.py @@ -567,7 +567,7 @@ def _tar_dir_to_with_progress( cols = shutil.get_terminal_size((80, 20)).columns msg = msg[: cols - 1] except Exception: - pass + pass # nosec os.write(2, ("\r" + msg).encode("utf-8", errors="replace")) with tarfile.open(tar_path, mode="w:gz") as tf: diff --git a/enroll/remote.py b/enroll/remote.py index df8d876..7ad8dc4 100644 --- a/enroll/remote.py +++ b/enroll/remote.py @@ -200,7 +200,7 @@ def remote_harvest( # Stream a tarball back to the local machine (avoid creating a tar file on the remote). cmd = f"tar -cz -C {rbundle} ." - _stdin, stdout, stderr = ssh.exec_command(cmd) + _stdin, stdout, stderr = ssh.exec_command(cmd) # nosec with open(local_tgz, "wb") as f: while True: chunk = stdout.read(1024 * 128) diff --git a/enroll/sopsutil.py b/enroll/sopsutil.py index d43d351..6c0c881 100644 --- a/enroll/sopsutil.py +++ b/enroll/sopsutil.py @@ -2,7 +2,7 @@ from __future__ import annotations import os import shutil -import subprocess +import subprocess # nosec import tempfile from pathlib import Path from typing import Iterable, List, Optional @@ -62,7 +62,7 @@ def encrypt_file_binary( ], capture_output=True, check=False, - ) + ) # nosec if res.returncode != 0: raise SopsError( "sops encryption failed:\n" @@ -112,7 +112,7 @@ def decrypt_file_binary_to( ], capture_output=True, check=False, - ) + ) # nosec if res.returncode != 0: raise SopsError( "sops decryption failed:\n"