Hook subprocesses receive full environment including secrets

## Description

`os.environ.copy()` at `python/packages/jumpstarter/jumpstarter/exporter/hooks.py:81` passes the full process environment to hook subprocesses, including JMP_TOKEN, Kubernetes ServiceAccount tokens, and cloud credentials.

Combined with `JMP_DRIVERS_ALLOW: "UNSAFE"`, hooks operate with maximum privilege and zero audit persistence.

## Suggested Fix

- Construct a minimal environment for hook subprocesses
- Explicitly allowlist safe environment variables
- Strip sensitive variables (tokens, keys, cloud credentials)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Hook subprocesses receive full environment including secrets #361

Description

Suggested Fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Hook subprocesses receive full environment including secrets #361

Description

Description

Suggested Fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions