Interview › Scripting (Bash, Groovy)
Why should you avoid putting secrets on the command line, and what leaks them? [Advanced]
Answer
Secrets on the command line can leak through process listings, shell history, CI logs, audit logs, error messages, and monitoring agents. I prefer stdin, protected files, environment bindings from a secret manager, or native credential mechanisms.
Technical explanation
Commands like ps can expose arguments to other users on the system depending on permissions and OS settings.
set -x can print expanded command lines containing secrets.
Some tools log full command invocations on failure, so command-line secrets are easy to leak accidentally.
Hands-on example
# Bad: password visible in command arguments
# mysql -u app -pSuperSecret
# Better: protected option file or env/secret manager
cat > "$HOME/.my.cnf" <<EOF
[client]
user=app
password=$MYSQL_PASSWORD
EOF
chmod 600 "$HOME/.my.cnf"
mysql -e 'select 1'
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Scripting (Bash, Groovy) interview questions
- What is the purpose of the shebang line, and what does #!/bin/bash do? [Basic]
- What is the difference between sh and bash? [Basic]
- How do you make a script executable and run it? [Basic]
- What is the difference between running a script with ./script.sh, bash script.sh, and source script.sh? [Basic]
- What does sourcing a script do differently from executing it? [Basic]
- How do you declare a variable in Bash, and why are spaces around = not allowed? [Basic]
- What is the difference between $var and ${var}? [Basic]
- What is the difference between single quotes and double quotes in Bash? [Basic]