Summary
All cron job output (stdout and stderr) is piped to cat and surfaced in the container's stdout stream. If a cron job prints environment variables, passwords, API keys, or other sensitive data, those values will appear in container logs which may be collected by log aggregation systems.
Location
entrypoint.sh line 217
echo "${SCHEDULE} ${SCRIPT_PATH} 2>&1 | cat" >> "${CRONTAB_FILE}"Risk
- Secrets printed by cron jobs end up in log aggregation systems (e.g., CloudWatch, Datadog, Loki)
- Logs may be retained long-term or forwarded to less-secure storage
Recommended Fix
Document this behaviour prominently so operators know to avoid printing secrets in cron commands. Optionally, provide a config option to suppress output or route it to a dedicated log sink:
# Option: suppress output entirely (operator opt-in)
echo "${SCHEDULE} ${SCRIPT_PATH} > /dev/null 2>&1" >> "${CRONTAB_FILE}"At minimum, add a README note advising against printing secrets in scheduled commands.
Severity
Low
Summary
All cron job output (stdout and stderr) is piped to
catand surfaced in the container's stdout stream. If a cron job prints environment variables, passwords, API keys, or other sensitive data, those values will appear in container logs which may be collected by log aggregation systems.Location
entrypoint.shline 217Risk
Recommended Fix
Document this behaviour prominently so operators know to avoid printing secrets in cron commands. Optionally, provide a config option to suppress output or route it to a dedicated log sink:
At minimum, add a README note advising against printing secrets in scheduled commands.
Severity
Low