{"id":18299668,"url":"https://github.com/containersolutions/saferun","last_synced_at":"2026-02-14T04:07:08.926Z","repository":{"id":57653165,"uuid":"452239653","full_name":"ContainerSolutions/saferun","owner":"ContainerSolutions","description":"run binaries with encrypted environment variables","archived":false,"fork":false,"pushed_at":"2022-02-01T11:46:26.000Z","size":9027,"stargazers_count":3,"open_issues_count":0,"forks_count":1,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-01-22T16:13:22.480Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ContainerSolutions.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-01-26T10:54:23.000Z","updated_at":"2022-04-14T08:28:59.000Z","dependencies_parsed_at":"2022-08-31T22:20:24.539Z","dependency_job_id":null,"html_url":"https://github.com/ContainerSolutions/saferun","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ContainerSolutions%2Fsaferun","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ContainerSolutions%2Fsaferun/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ContainerSolutions%2Fsaferun/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ContainerSolutions%2Fsaferun/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ContainerSolutions","download_url":"https://codeload.github.com/ContainerSolutions/saferun/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243822313,"owners_count":20353496,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-05T15:09:49.980Z","updated_at":"2026-02-14T04:07:08.873Z","avatar_url":"https://github.com/ContainerSolutions.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Saferun\n\nSaferun is designed for the (now niched) cases where a host might contain several sensitive environment variables for applications, not only leading to a possible lack if the host gets targeted, as well as leading to a possible lack if the application itself gets attacked.\n\nSaferun tackles that by allowing the use of encrypted environment variables to the hosts env.\n\n## Getting Started\n\nWe start by creating an environment variable encrypted with a public key\n\n```\nexport SAFE_RUN_DATABASE_PASSWORD=$(saferun encrypt --public-key=test.pub \"my-unencrypted-password\")\n```\n\n\nThen, we run the process with saferun and the private key\n\n```\nsaferun run --private-key=test.key --only-encrypted /bin/env\n```\n\nThe results will be an environment available for the process with every successfully decrypted environment available. The option `--only-encrypted` allows to control if the rest of the environment will be shared as well, or only the decrypted context.\n\n## Using Two keys\n\nAny set of applications should have its own private key to control what is available for its safe run. In order to do so, we can simply create two environment variables with different keys\n```\nexport SAFE_RUN_app1=$(saferun encrypt --public-key=test.pub \"app1_key\")\nexport SAFE_RUN_app2=$(saferun encrypt --public-key=second.pub \"app2_key\")\n```\n\nNow, if we run app 1 with app1 key:\n```\nsaferun run --private-key=test.key /bin/env\n```\nonly app1 environment variable is available unencrypted. app2 is still available but encrypted (hence not useful for app1)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontainersolutions%2Fsaferun","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcontainersolutions%2Fsaferun","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontainersolutions%2Fsaferun/lists"}