Please report security issues privately rather than opening a public issue. Use GitHub's private vulnerability reporting on this repository. You'll get an acknowledgement and a fix or mitigation plan.
grim is designed so that secret values never live in a grimoire — only references
(op://…, age:…) that a secret provider resolves at apply-time.
Principles:
- Secret backends are optional; the core never depends on one and never logs a resolved value.
- References resolve lazily — only when something being applied uses them.
- The 1Password provider shells out to the
opCLI; the age provider decrypts in-process. grim takes no dependency on unofficial vault SDKs.
If you find a path where grim writes, logs, or otherwise exposes a secret value, treat it as a vulnerability and report it as above.