$XDG_STATE_HOME/ironrun/audit.log. Records are hash-chained — each entry includes the hash of the previous one — so any deletion, insertion, or modification of a record breaks the chain and is detectable.
What is logged
Each record contains:- Command ID — the
id:field from your policy - argv — the literal argument list that was executed
- Secret entry names — the alias or key names of secrets that were injected
- Timestamp — when the command ran
- Exit code — what the child process returned
What is never logged
- Secret values
- Plaintext credentials of any kind
- Command output
Usage
audit verify walks every record in the log, recomputes each hash, and confirms it matches the stored chain link.
Flags
audit verify
Path to the audit log to verify. By default, the path is resolved in order from
IRONRUN_AUDIT_LOG, then the audit_log: field in ironrun.yml, then the platform default.Configuration
You can redirect or disable the audit log in two ways: Inironrun.yml:
Default location
The default audit log location is:~/.local/state/ironrun/audit.log. On macOS, $XDG_STATE_HOME defaults to ~/.local/state as well unless you have overridden it.
If the audit log cannot be opened at startup — for example, because the directory doesn’t exist or permissions prevent writing — ironrun prints a warning to stderr and continues normally. Sealed command execution is never blocked by an audit log failure.