Skip to main content

dotset shield run

Run any command with secrets injected from multiple providers and output protection.

Usage

dotset shield run [options] -- <command...>
Use -- to separate dotset options from your command.

Options

OptionDescriptionDefault
-p, --providers <list>Comma-separated providersauto
-s, --scope <scope>Environment scopedevelopment
-m, --mode <mode>Protection moderedact
--redact-text <text>Replacement text[REDACTED]
-q, --quietSuppress shield outputfalse
--reportGenerate HTML protection reportfalse
--no-telemetryDisable cloud reportingfalse

Secret Resolution

Shield aggregates secrets from configured providers. By default, it uses auto which attempts to detect all available sources.

Supported Providers

  • dotenv: Loads from .env, .env.local, .env.development, etc.
  • environment: Shell environment variables (with common prefixes like API_, SECRET_, TOKEN_)
  • aws-sm: AWS Secrets Manager

Examples

Zero-Setup (.env auto-detection)

dotset shield run -- npm start

Explicit Providers

dotset shield run --providers dotenv,aws-sm -- node server.js

With Redaction

dotset shield run --mode redact -- npm test

Production Scope

dotset shield run --scope production -- node server.js

Compliance Reports

Use the --report flag to generate a standalone HTML report after each run. This is useful for:
  • Audit trails: Document what protection was applied
  • Compliance evidence: SOC 2, ISO 27001 artifact generation
  • CI artifacts: Upload to your build system for review
dotset shield run --report -- npm test
# Generates: shield-report.html
The report includes:
  • Run summary (command, mode, duration)
  • Secrets protected (count by provider)
  • Exposures detected and blocked
  • Pattern matches with severity levels
In CI, upload the report as a build artifact for compliance auditing.

Security Policies

By default, run uses a hardcoded list of high-accuracy patterns (AWS keys, GitHub tokens, etc.) to scan your output.

Auto-Updating Patterns

When your project is linked to the cloud, Shield automatically syncs your security policies:
  • Patterns are refreshed every hour in the background
  • Custom patterns you add in the Dashboard are applied immediately
  • If the cloud is unreachable, Shield falls back to cached policies
This means your team always has the latest protection without manual updates.

Linking for Customization

To use custom regex patterns or disable specific default rules, you must link your project to the Cloud. When linked, the CLI fetches your project-specific policies from the Dashboard, which completely override the local defaults. See the Security Policies guide for a full list of default patterns.

How It Works

  1. Resolution: Aggregates secrets from all specified providers.
  2. Injection: Injects discovered secrets into the child process environment.
  3. Redaction: Intercepts stdout/stderr using a streaming line-buffered engine. This ensures secrets are caught even if split across output chunks.
  4. Flush: Flushes any remaining buffered text before exiting.

Exit Codes

The exit code matches your command’s exit code. Shield itself never fails silently.