Intent-Code Divergence
Medium
- Confidence
- 97% confidence
- Finding
- The usage text explicitly says the encryption password is never read from an environment variable, but the script exports it and passes it into containers via `-e ENCRYPT_PASSWORD=...` and uses `openssl ... -pass env:ENCRYPT_PASSWORD`. That contradiction can mislead operators into thinking the secret will not be exposed through process environments, Docker inspection metadata, shell history, or debugging tools, increasing the chance of credential disclosure.
