Sentieon modules expose the license key in the command script

[prototaxites]

Have you checked the docs?

• nf-core website: troubleshooting
• nf-core modules documentation

Description of the bug

Noticed this when debugging another module that uses secrets.

Sentieon modules have this in the script block:

    def sentieonLicense = secrets.SENTIEON_LICENSE_BASE64
            ? "export SENTIEON_LICENSE=\$(mktemp);echo -e \"${secrets.SENTIEON_LICENSE_BASE64}\" | base64 -d > \$SENTIEON_LICENSE; "
            : ""
    """
    ${sentieonLicense}

This will write the value of secrets.SENTIEON_LICENSE_BASE64 in plaintext into the .command.sh file.

I don't know the tool so I can't say for sure what a good fix is, but perhaps this would be a good temp fix - letting Nextflow load the secret if it exists, which makes it available as an environment variable. Then echo the environment variable into the tempfile instead of the raw string?

process SENTIEON_THING {
    secret secrets.SENTIEON_LICENSE_BASE64 ? "SENTIEON_LICENSE_BASE64" : "" 

    script:
    def sentieonLicense = secrets.SENTIEON_LICENSE_BASE64
                ? "export SENTIEON_LICENSE=\$(mktemp);echo -e \"\${SENTIEON_LICENSE_BASE64}\" | base64 -d > \$SENTIEON_LICENSE; "
                : ""

https://nextflow.slack.com/archives/C02T98A23U7/p1772718409863709

Command used and terminal output

Relevant files

No response

System information

No response