Environment Variable Security

Beginner

Enforce secure handling of Bruno environment files — secrets excluded from version control, placeholder templates provided, and CI secrets passed via CLI arguments.

File Patterns

**/*.bru**/environments/****/bruno.json

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# Environment Variable Security

## Rule
Environment files containing real secrets (API keys, tokens, passwords) MUST be excluded from version control. Template files with placeholder values MUST be provided for team onboarding.

## Required File Structure
```
environments/
├── dev.bru           # Committed — test/dev credentials only
├── ci.bru            # Committed — CI-specific config, secrets via CLI
├── production.bru    # NEVER committed — real production secrets
├── local.bru         # NEVER committed — personal dev overrides
└── .gitignore        # Excludes production.bru and local.bru
```

## .gitignore Configuration
```gitignore
# environments/.gitignore
production.bru
local.bru
*.secret.bru
```

## Template File (Committed)
```
# environments/dev.bru
vars {
  baseUrl: http://localhost:3000
  authToken:
  testUserEmail: test@dev.example.com
  testUserPassword: devpassword123
}
```

## CI Environment (Committed, Secrets via CLI)
```
# environments/ci.bru
vars {
  baseUrl: http://localhost:3000
  authToken:
}
```

```bash
# CI passes secrets via CLI
bru run --env ci \
  --env-var "authToken=${API_TOKEN}" \
  --env-var "baseUrl=${API_URL}"
```

## Rules
1. Never commit files with production API keys, tokens, or passwords
2. Always provide template files with placeholder values
3. Pass CI secrets via --env-var, not committed files
4. Use different credentials for each environment
5. Rotate test credentials regularly

## Anti-Patterns
- Committing production.bru with real API keys
- Using the same credentials across all environments
- Hardcoding secrets in request headers instead of environment variables
- Not providing template files (new team members cannot set up)

FAQ

Discussion

Loading comments...

# Environment Variable Security ## Rule Environment files containing real secrets (API keys, tokens, passwords) MUST be excluded from version control. Template files with placeholder values MUST be provided for team onboarding. ## Required File Structure ``` environments/ ├── dev.bru # Committed — test/dev credentials only ├── ci.bru # Committed — CI-specific config, secrets via CLI ├── production.bru # NEVER committed — real production secrets ├── local.bru # NEVER committed — personal dev overrides └── .gitignore # Excludes production.bru and local.bru ``` ## .gitignore Configuration ```gitignore # environments/.gitignore production.bru local.bru *.secret.bru ``` ## Template File (Committed) ``` # environments/dev.bru vars { baseUrl: http://localhost:3000 authToken: testUserEmail: test@dev.example.com testUserPassword: devpassword123 } ``` ## CI Environment (Committed, Secrets via CLI) ``` # environments/ci.bru vars { baseUrl: http://localhost:3000 authToken: } ``` ```bash # CI passes secrets via CLI bru run --env ci \ --env-var "authToken=${API_TOKEN}" \ --env-var "baseUrl=${API_URL}" ``` ## Rules 1. Never commit files with production API keys, tokens, or passwords 2. Always provide template files with placeholder values 3. Pass CI secrets via --env-var, not committed files 4. Use different credentials for each environment 5. Rotate test credentials regularly ## Anti-Patterns - Committing production.bru with real API keys - Using the same credentials across all environments - Hardcoding secrets in request headers instead of environment variables - Not providing template files (new team members cannot set up)