Suggestion to not emit decrypted file values into logs on 'complex value in dotenv file' failure

[mistakenot]

If you try to run exec-env with a file with a complex value YAML entry, it fails and outputs the failing complex value block into the log. I wanted to raise this as a potential security risk, as it can lead to secrets being written into logs if this command fails in CI, for example.

I think this is the line where the error is generated:

https://github.com/mozilla/sops/blob/66043e71a81787d6513bc2e5505a29aac67dc6f1/stores/dotenv/store.go#L116

I would be very happy to submit a PR to change this, but wanted to raise it first to get your thoughts.

[felixfontein]

While it's helpful for fixing a case when seeing the value, it's probably better to print the value's key since that's not sensitive (as opposed to the value) and still allows you to find the value.

[felixfontein]

Fixed by #1959.