pavingLogic
Keep secrets out of Copilot CLI output with --secret-env-vars
GitHub CopilotCLISecurityDeveloper Productivity

Keep secrets out of Copilot CLI output with --secret-env-vars

Adham 5 min read

When you run GitHub Copilot CLI, it can read your environment. That is part of what makes it useful. You pass in an API key as an environment variable, and the agent can use it when calling a service, running a script, or building a docker command.

But there is a side effect. Those values can show up in the output. Copilot might echo a command it built, repeat a value in its explanation, or include it in a session log. If you are recording a demo, sharing your terminal in a screen share, or writing session output to a file, that is a problem.

The --secret-env-vars flag is how you tell Copilot to redact specific values from everything it outputs.

What it does

The flag takes a list of environment variable names. Copilot will look up their values and replace any occurrence in its output with a placeholder like [REDACTED].

copilot --secret-env-vars="MY_API_KEY" -p "call the API and show me the response"

If MY_API_KEY is set to sk-abc123xyz, Copilot will never print sk-abc123xyz anywhere in its terminal output or session logs. You get the response, the explanation, the commands it ran, but all with the secret value masked.

For multiple variables you use a comma-separated list:

copilot --secret-env-vars="MY_API_KEY,DB_PASSWORD,WEBHOOK_SECRET" -p "your prompt here"

Two variables are always redacted automatically without needing the flag: GITHUB_TOKEN and COPILOT_GITHUB_TOKEN. Anything else you need to protect, you have to name explicitly.

A real example

Say you are building a small automation that calls an external API and you want Copilot to help you write and test the request. You store the key in your shell environment:

export OPENWEATHER_API_KEY="supersecretkey123"

Now you run Copilot with the flag:

copilot \
  --secret-env-vars="OPENWEATHER_API_KEY" \
  --allow-tool='shell(curl)' \
  --silent \
  -p "Fetch the current weather in London using the OPENWEATHER_API_KEY environment variable and print the temperature"

Copilot builds the curl command, runs it, and shows you the result. But if it ever needs to print the command it ran, you see something like:

curl "https://api.openweathermap.org/data/2.5/weather?q=London&appid=[REDACTED]"

The actual key value is never shown. The command still ran because the environment variable was available to the shell. Only the display is masked.

When this actually matters

Most of the time you use Copilot interactively on your own machine and nobody is watching. The flag is less important there.

But there are situations where it makes a real difference:

You are in a pair programming session and sharing your screen. Your partner does not need to see the raw value of your API key just because Copilot echoed the command it built.

You are recording a video or writing a tutorial. The session output goes into a file or gets captured by screen recorder software. Without redaction, you are one careless share away from leaking credentials.

You are running Copilot in a script with --silent and piping the output somewhere, maybe into a log file or a Slack notification. The secret flag makes sure that log is safe to share.

You are using --share or --share-gist to post your session to a gist after it finishes. Session sharing without redaction means your secrets are part of the gist.

Combining it with other flags

The flag fits naturally with the programmatic flags I talked about in a previous post. Here is a pattern that uses several of them together:

copilot \
  --secret-env-vars="API_KEY,API_SECRET" \
  --allow-tool='shell(curl)' \
  --no-ask-user \
  --silent \
  -p "Test the API endpoint and confirm it returns a 200"

This runs fully headless, outputs only the response, never asks for confirmation, and keeps your credentials out of the output. Clean and safe for scripting or CI use.

One thing to know about scope

The flag only redacts from Copilot’s own output. It does not affect what the underlying shell commands print. If the tool calls a script that itself prints the secret, that will still go to stdout as-is.

For example:

export SECRET="mysecret"
copilot --secret-env-vars="SECRET" -p "echo the SECRET env var"

Copilot might tell the shell to run echo $SECRET. The shell prints mysecret because the shell sees the real value. Copilot then shows you the output of that command. The redaction applies to Copilot’s own text, not to the subprocess output.

So the flag is a good habit, but it is not a substitute for careful scripting. If your prompt naturally causes Copilot to print or echo the variable itself, the value can still leak through the shell. The safe approach is to treat it as one layer of a broader practice, not as complete protection on its own.

Summary

--secret-env-vars is a small flag with a clear purpose. You name the environment variables you want protected. Their values get redacted from all output and logs Copilot produces. GITHUB_TOKEN and COPILOT_GITHUB_TOKEN are covered automatically.

It is a useful habit to add whenever you are using Copilot CLI in a context where the output might be seen by others, shared, or stored. Takes five seconds to add, and it removes a whole category of accidental credential exposure.

Back to all posts