Skip to content

Security

Secret handling

Never commit or print API keys, provider tokens, ShotGrid script keys, SSH private keys, private pod IDs, or local artifact bundles. Secrets must not appear on stdout or stderr.

Use environment variables or a supported secret store. Examples and fixtures must use obvious non-secret values.

Local data

Local execution reduces exposure but does not automatically secure files. Restrict access to source, intermediate, manifest, and artifact directories. Review OCR and redaction outputs before sharing them.

Commands and streams

Plugins construct explicit argument arrays. Batch Runner accepts explicit mere.run argv, not generic shell fragments. JSON or path results go to stdout; diagnostics go to stderr.

Provider credentials

Use least-privilege accounts and provider keys. Run doctor before execution, review plan, and verify cleanup after every remote run.

Dependencies and source

Catalog installation specs point to the public repository and explicit package subdirectories. Release changes should be reviewed with the same attention as runtime code because plugins can invoke local tools and provider APIs.

Reporting

Report vulnerabilities through the repository's private security reporting path when available; do not publish live credentials or exploitable account details in an issue.

Official companion plugins for the local mere.run runtime.