> putting secrets into environment variables in the first place - that is appare... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		shlomo_z 56 days ago \| parent \| context \| favorite \| on: How we exploited CodeRabbit: From simple PR to RCE... > putting secrets into environment variables in the first place - that is apparently acceptable to them and sets off a red flag for me Isn't that standard? The other options I've seen are .env files (amazing dev experience but not as secure), and AWS Secrets Manager and similar competition like Infisical. Even in the latter, you need keys to authenticate with the secrets manager and I believe it's recommended to store those as env vars. Edit: Formatting

vmatsiiako 56 days ago [–]

You can use native authentication methods with Infisical that don't require you to use keys to authenticate with your secrets manager: - https://infisical.com/docs/documentation/platform/identities... - https://infisical.com/docs/documentation/platform/identities...

Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact