Skip to main content
Every sealed command execution appends a tamper-evident record to the audit log at $XDG_STATE_HOME/ironrun/audit.log. Records are hash-chained — each entry includes the hash of the previous one — so any deletion, insertion, or modification of a record breaks the chain and is detectable.

What is logged

Each record contains:
  • Command ID — the id: field from your policy
  • argv — the literal argument list that was executed
  • Secret entry names — the alias or key names of secrets that were injected
  • Timestamp — when the command ran
  • Exit code — what the child process returned

What is never logged

  • Secret values
  • Plaintext credentials of any kind
  • Command output

Usage

audit verify walks every record in the log, recomputes each hash, and confirms it matches the stored chain link.

Flags

audit verify

--log
string
default:"resolved from env/policy"
Path to the audit log to verify. By default, the path is resolved in order from IRONRUN_AUDIT_LOG, then the audit_log: field in ironrun.yml, then the platform default.

Configuration

You can redirect or disable the audit log in two ways: In ironrun.yml:
Via environment variable:
The environment variable takes precedence over the policy field.

Default location

The default audit log location is:
On most Linux systems this resolves to ~/.local/state/ironrun/audit.log. On macOS, $XDG_STATE_HOME defaults to ~/.local/state as well unless you have overridden it.
If the audit log cannot be opened at startup — for example, because the directory doesn’t exist or permissions prevent writing — ironrun prints a warning to stderr and continues normally. Sealed command execution is never blocked by an audit log failure.