Sops for the security paranoid
Can you imagine people downloading random binaries from GitHub, running them locally, and then trusting them with secrets? I can't either, but apparently this is a perfectly normal thing people do every day.
If that makes you mildly uncomfortable, here's the less trusting version: do not install the binary directly, just run it in a container with no network access and only mount the working directory you actually need.
For those who can relate:
alias sops='docker run --rm --network none -v "$(pwd)":/work -w /work ghcr.io/getsops/sops:v3.11.0-alpine sops'It is not magic, and it is not a perfect sandbox, but it is still a lot more defensible than casually piping a random release artifact straight into your machine and hoping everyone involved had a good day.
