fix(COD-6066): hide the Lacework credentials from the running commands

Author: jeremydubreil

src/util.ts

@@ -30,9 +30,13 @@ export function getRunUrl(): string {
   return result
 }
 
-export async function callCommand(command: string, ...args: string[]) {
+export async function callCommand(
+  command: string,
+  environment: NodeJS.ProcessEnv,
+  ...args: string[]
+) {
   info('Invoking ' + command + ' ' + args.join(' '))
-  const child = spawn(command, args, { stdio: 'inherit' })
+  const child = spawn(command, args, { stdio: 'inherit', env: environment })
   const exitCode = await new Promise((resolve, _) => {
     child.on('close', resolve)
   })
@@ -60,22 +64,15 @@ export function getOptionalEnvVariable(name: string, defaultValue: string) {
 }
 
 export async function callLaceworkCli(...args: string[]) {
-  const accountName = getRequiredEnvVariable('LW_ACCOUNT_NAME')
-  const apiKey = getRequiredEnvVariable('LW_API_KEY')
-  const apiSecret = getRequiredEnvVariable('LW_API_SECRET')
-  const expandedArgs = [
-    '--noninteractive',
-    '--account',
-    accountName,
-    '--api_key',
-    apiKey,
-    '--api_secret',
-    apiSecret,
-    'sca',
-    ...args,
-  ]
+  let laceworkEnv = {
+    ...process.env,
+    LW_ACCOUNT_NAME: getRequiredEnvVariable('LW_ACCOUNT_NAME'),
+    LW_API_KEY: getRequiredEnvVariable('LW_API_KEY'),
+    LW_API_SECRET: getRequiredEnvVariable('LW_API_SECRET'),
+  }
+  const expandedArgs = ['--noninteractive', 'sca', ...args]
   info('Calling lacework ' + expandedArgs.join(' '))
-  await callCommand('lacework', ...expandedArgs)
+  await callCommand('lacework', laceworkEnv, ...expandedArgs)
 }
 
 export function getOrDefault(name: string, defaultValue: string) {