Description
k6 inspect (and k6 archive) error out when a script calls secrets.get() at the top level (init context), even though the script runs correctly during normal execution. This is a common pattern among k6 users.
Steps to reproduce
// secrets.js
import secrets from 'k6/secrets';
const secretValue = await secrets.get('secret_name');
export default function() { }
$ k6 inspect secrets.js
ERRO[0000] no secret sources are configured hint="script exception"
Expected behavior
k6 inspect is an analysis command — it should not require a fully configured secrets source to introspect a script's options. Ideally, it would either:
- silently skip secret resolution during inspection, or
- complete successfully and include a note in the output that the script requires a secrets source at runtime.
What works today
Moving the secrets.get() call inside the default function works:
export default async () => {
const secretValue = await secrets.get('secret_name');
}
Passing the exact secrets via CLI also works, but is not always feasible:
$ k6 inspect --secret-source=mock=secret_name=value secrets.js
Context
This affects Synthetic Monitoring, where k6 inspect runs in a sandboxed environment that intentionally has no access to the secrets source — that is a security property of the environment, not a configuration gap. As the number of SM users grows, the number of scripts using top-level secrets.get() is also growing, making this a blocker for our preprocessing pipeline.
A possible approach is discussed in PR #6092, which proposes a dummy secret source that returns an empty value for any requested secret and never errors. This would allow k6 inspect to run without requiring a real secrets source. We'd welcome input from the core team on whether this direction is acceptable or if there's a cleaner path.
Description
k6 inspect(andk6 archive) error out when a script callssecrets.get()at the top level (init context), even though the script runs correctly during normal execution. This is a common pattern among k6 users.Steps to reproduce
Expected behavior
k6 inspectis an analysis command — it should not require a fully configured secrets source to introspect a script's options. Ideally, it would either:What works today
Moving the
secrets.get()call inside the default function works:Passing the exact secrets via CLI also works, but is not always feasible:
Context
This affects Synthetic Monitoring, where
k6 inspectruns in a sandboxed environment that intentionally has no access to the secrets source — that is a security property of the environment, not a configuration gap. As the number of SM users grows, the number of scripts using top-levelsecrets.get()is also growing, making this a blocker for our preprocessing pipeline.A possible approach is discussed in PR #6092, which proposes a
dummysecret source that returns an empty value for any requested secret and never errors. This would allowk6 inspectto run without requiring a real secrets source. We'd welcome input from the core team on whether this direction is acceptable or if there's a cleaner path.