fix: harden unity-cli credential examples (Snyk W007)#21
Merged
Conversation
Remove runnable command examples that place secrets on the command line, while keeping the real flags documented: - CI auth "Equivalent to" now uses --secret-from-stdin, not --client-secret - Drop the copy-pasteable --client-secret <secret> command (kept as a labelled anti-pattern note pointing to stdin / env-var auth) - Replace the http://user:secret@host proxy example with prose that points to the OS keyring lookup - Strengthen the Android keystore warning to require CI secret env vars (e.g. "$KEYSTORE_PASSWORD"), never inline literals The secure alternatives (--secret-from-stdin, --git-token-stdin, UNITY_SERVICE_ACCOUNT_* env vars) were already the documented defaults; this removes the insecure demonstrations the audit flagged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR updates the unity-cli skill documentation to remove (or de-emphasize) copy/pasteable examples that place credentials directly on the command line, addressing Snyk W007 insecure credential handling findings while keeping secure alternatives documented.
Changes:
- Updates CI service-account auth guidance to point to
--secret-from-stdininstead of--client-secret <secret>. - Replaces insecure
auth loginand proxy credential examples with anti-pattern warnings and safer guidance. - Expands Android keystore guidance to discourage inline literals and steer users toward CI secret sources.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
clm2609
previously approved these changes
Jul 2, 2026
- Drop misleading "Equivalent to" claim for CI env-var auth; clarify it maps to auth login flags but isn't a full login (no keyring persist) - Reference --client-secret flag without the copy-pasteable <secret> placeholder - Clarify keystore env vars avoid hard-coding literals but the expanded value still appears in argv; mask in CI logs Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
clm2609
approved these changes
Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Removes the runnable command examples in
unity-cli/SKILL.mdthat place secrets directly on the command line, which the Snyk W007 ("insecure credential handling") audit flagged. All real flags stay documented so an agent still knows they exist — only the copy-pasteable insecure demonstrations are removed.Changes
unity auth login --client-id <id> --client-secret <secret>--client-id <id> --secret-from-stdinauth loginblock--client-secret <secret>command--secret-from-stdin/UNITY_SERVICE_ACCOUNT_*env varsconfig proxyhttp://user:secret@proxy.example.com:8080--android-keystore-*from CI secret env vars (e.g."$KEYSTORE_PASSWORD"), never inline literalsNet +9 / −6 lines.
Why this is low-risk
The secure alternatives (
--secret-from-stdin,--git-token-stdin,UNITY_SERVICE_ACCOUNT_ID/_SECRETenv vars) were already the documented defaults throughout the skill — every--git-tokenexample already used--git-token-stdin. This change just removes the insecure demonstrations the audit flagged and reframes them as anti-patterns.🤖 Generated with Claude Code