It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
[new tool] varlock: schema-driven env vars
TL;DR: We've launched something new, it's called varlock. It's like DMNO but simpler and easier to get started. It's built on top of the .env files you're already using. It makes them safer to use and share. We'd love your feedback. >> 🧙♂️https://varlock.dev --- We've been heads down working on the next evolution of secrets and configuration tooling building on what we've learned so far creating DMNO. If you've used DMNO, varlock will feel familiar. But instead of writing schemas in TypeScript, we've created a lightweight DSL that sits on top of your .env files. We think this allows for much simpler onboarding (and offboarding!). And because it's all based on decorators in comments, it should play nice with your existing tools. For any tools that would like to make use of this new syntax, we've also created an open specification, we call it @env-spec, and there's an active RFC if you would like to get involved. >> RFC: https://github.com/dmno-dev/varlock/discussions/17 —- So why varlock? Varlock is a suite of tools built to improve the experience of working with environment variables, both in terms of security and developer experience. It provides: Validation - catch errors in development instead of production Type-safety - improved DX via detailed IntelliSense Security - secret redaction in stdout and global console methods Environments - Compose defaults, environment-specific .env files, and local git-ignored overrides Secrets - use any third party provider that has a CLI to load values What next? We're just getting started and we have big plans to expand the feature set of varlock. Coming soon you'll see: Local override encryption via a desktop app using biometrics Shared team vaults with trustless cloud storage GitHub App to track config changes with audit trails Deeper integration with providers like 1Password If you've read this far, thank you. Please check out varlock and let us know what you think by replying to this post, or joining us on Discord. Tools like this are only as good as the community that shapes them. >> 🧙♂️https://varlock.dev Thanks ✌️openv – A simple CLI tool to wrap commands with 1Password secrets from .env
Hey folks, 👋 I just released a new version of a small command-line tool I’ve been working on called openv. 💡 What it does: It automatically wraps selected dev commands (like npm dev, pnpm run, etc.) with op run, if your project’s .env file contains op:// secrets from 1Password. So instead of manually writing: run --env-file=.env -- npm run dev You can just type, as you would normally do: npm run dev And it will be wrapped automatically via a shell hook. 🧠 Why I built it: This started as a personal tool because I kept forgetting to wrap my dev commands with op run, and I wanted a smoother experience that "just works" based on .env contents. It hooks into ZSH (likely direnv), with support for allow/deny patterns (e.g., only wrap certain commands like pnpm start). 🛠️ Tech: Written in Rust Works in ZSH, Bash, and Fish Installable via Homebrew Fully local 🧪 Notes: This is an early release, mainly developed for my personal use. I’m sharing it here in case others find it useful. Feedback, issues, or even feature ideas are very welcome — but no pressure! GitHub: https://github.com/andrea11/openv Thanks for reading — and happy coding! 🚀
OpenAI API Keys... Oh mai
Just a heads up, on Github, a crafty person created a query to find OpenAI API keys via search. I'm not going to link to it, but here are some resources if you fall into this camp! We have an entire blog post from 2023 about this topic https://blog.1password.com/openai-chatgpt-exposed-api-keys/ AI Agents + 1Password (Blog) https://developer.1password.com/docs/sdks/ai-agent CLI https://developer.1password.com/docs/cli/secret-references SDK (Python, Go & Typescript/JS) https://developer.1password.com/docs/sdks/load-secrets GitHub Actions with 1Password (hide API keys in CI/CD) https://developer.1password.com/docs/ci-cd/github-actions
Feature Request: Restrict Visibility, Copy, and Export of Private SSH Keys in a Shared Vault
Dear 1Password Support Team, I hope this message finds you well. I am a user of 1Password, currently managing SSH keys for secure access to our my Cloud servers. I am reaching out to enquire about a feature regarding SSH key management within 1Password. Issue Description Currently, when I store an SSH key in a shared vault and add my colleagues into the vault, all fields of the SSH key item, including the private key, become visible to them. This poses a security concern, as I need to grant access for them to use the key for authentication without allowing them to see, copy, or export the private key itself. Let me know if this feature exists in any of your available plans. Thanks, Jay.1Password GitHub Actions (Post Webinar Chat)
Hi all, Thanks again for joining the webinar today about the 1Password GitHub Action, please feel free to use this discussion to ask any addition questions or if we missed your question, let us know! Here are some resources for your reference: Learn more about the 1Password GitHub Action: - (Marketplace Listing) https://marketplace.1password.com/integration/github-actions - (Docs) https://developer.1password.com/docs/ci-cd/github-actions/ Developer Documentation - https://developer.1password.com/ If you'd like to watch it again you are welcome to do so here: - https://1password.com/webinars/1password-github-actions?utm_ref=community Thanks again and we look forward to working with you soon! ~PhilDocs for "connect-api" and "connect-sync"
I was able to find and download the docker images as tar files and was able to crack them open and find the raw binaries. I had mixed results when trying to execute them. Is there documentation for these binaries if we wanted to try to run these standalone (outside of a docker container)? How would one point it to the "1password-credentials.json" file - as the "docker-compose.yaml" file tells docker to stick it in a "opuser" directory (a home directory within the docker container). volumes: - "./1password-credentials.json:/home/opuser/.op/1password-credentials.json" - "data:/home/opuser/.op/data" Just looking for documentation that might help me do this? Has anyone else done this?.env accessed?: Lesson learned from a drained crypto wallet
A user on X recently lost their entire crypto wallet after installing a malicious extension in Cursor.ai. The extension accessed their .env file, extracted private keys, and sent them to an attacker’s server. The wallet was drained within 27 minutes. Sadly a hard lesson to learn from. What steps would you recommend to secure their setup? Read - https://x.com/0xzak/status/1955265807807545763?s=46&t=WQd8UVBBGk_pyHB3pNwGsA
