The Problem

Currently, vet is an excellent tool for safely running scripts from public URLs. However, many powerful use cases for secure script execution exist within private ecosystems (corporate intranets, personal servers, CI/CD pipelines) where scripts are not publicly accessible.

The standard curl | bash pattern offers no good way to handle authentication securely, and vet could fill this critical gap.

The Proposed Solution

This feature would extend vet to support fetching scripts from private sources by handling authentication tokens. This would allow users to safely run scripts from private GitHub/GitLab repositories, private Gists, or any other endpoint that requires an Authorization header.

Proposed Implementation Plan

This feature can be rolled out in phases to deliver value quickly while building up to a complete solution.

Phase 1: Support via .netrc

• Action: Update command to include the -n (--netrc) flag.

• User Experience: Users can configure their ~/.netrc file with credentials for specific hosts. vet will then work transparently with those private repositories.

• Benefit: This is a low-effort, high-impact change that immediately enables the feature for advanced users with zero change to the command-line interface.

Phase 2: Support via Environment Variable

• Action: Implement logic to detect a new environment variable (e.g.,VET_TOKEN).

• Details:

  • If VET_TOKEN is set, vet will automatically add the Authorization: Bearer $VET_TOKEN header to its curl/wget requests.

  • The README.md will be updated to document this as the primary method for authentication.

• Benefit: This provides a modern, explicit, and CI/CD-friendly way to handle authentication.

Phase 3: (Future) Integration with Secret Management Systems

• Action: Implement a new --token-stdin flag.

• Details: When this flag is present, vet will read a single line from its standard input and use that as the authentication token. This allows for seamless and secure integration with any external secret management tool.

• Benefit: This is the most secure and flexible method for handling secrets in automated environments. It decouples vet from any specific secret provider (Vault, AWS Secrets Manager, 1Password CLI, etc.) and aligns with modern security best practices.

Acceptance Criteria

• A user can successfully vet a script from a private GitHub repository using a token.

• The documentation is updated to clearly explain both the .netrc and VET_TOKEN methods.

• Secrets (tokens) are never exposed in shell history or process lists.

• The implementation is covered by new tests in the BATS suite.