Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Inject Doppler secrets as environment variables into your Python application during local development with debugging support for PyCharm and Visual Studio Code.
The doppler-env package automates the injection of Doppler secrets as environment variables into any Python application and works in the terminal, PyCharm, and Visual Studio Code.
The Doppler CLI provides the easiest method of injecting secrets into your application:
doppler run -- python app.py
But when debugging with PyCharm or Visual Studio Code, a vendor-specific Python entry-point is used, preventing the Doppler CLI from acting as the application runner. At Doppler, we go to great lengths to prevent secrets ending up on developer's machines so downloading secrets to a .env file wasn't an option.
Thanks to Python's Site configuration hook via a path configuration file, we can replicate the doppler run
workflow by fetching the secrets via the Doppler CLI (recommended) or API and injecting into your Python application process prior to your code by being executed.
Ensure you have installed the Doppler CLI locally and have created a Doppler Project. Then authorize the Doppler CLI to retrieve secrets from your workplace by running:
doppler login
Then install doppler-env
in your local development environment or add it to the list of dev specific dependencies:
pip install doppler-env
First, define the DOPPLER_ENV
environment variable in your IDE, editor, or terminal to trigger the injection of secrets:
export DOPPLER_ENV=1
You can enable logging for troubleshooting purposes by setting the DOPPLER_ENV_LOGGING
environment variable:
export DOPPLER_ENV_LOGGING=1
Then configure which secrets to fetch for your application by either using the CLI in the root directory of your application:
doppler setup
Or set the DOPPLER_PROJECT
and DOPPLER_CONFIG
environment variables in your debug configuration within PyCharm or Visual Studio Code.
Now whenever the Python interpreter is invoked for your application, secrets will be injected prior to your application being run:
python app.py
# >> [doppler-env]: DOPPLER_ENV environment variable set. Fetching secrets using Doppler CLI
In restrictive environments where the use of the Doppler CLI isn't possible, set a DOPPLER_TOKEN
environment variable with a Service Token to fetch secrets directly from the Doppler API:
export DOPPLER_TOKEN='dp.st.dev.xxxxxxx'
python app.py
# >> [doppler-env]: DOPPLER_ENV and DOPPLER_TOKEN environment variable set. Fetching secrets from Doppler API
This approach to injecting environment variables was inspired by patch-env.
For any bug reports, issues, or enhancements, please create a repository issue.
You can get support in the Doppler community forum, find us on Twitter, and for bugs or feature requests, create an issue on the DopplerHQ/python-doppler-env GitHub repository.
If you need help, either use our in-product support or head over to the Doppler Community Forum to get your questions answered by a member of the Doppler support team or
FAQs
Inject Doppler secrets as environment variables into your Python application during local development with debugging support for PyCharm and Visual Studio Code.
We found that doppler-env demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.