Every team I've joined has the same awkward onboarding ritual.
Someone DMs you a .env file on Slack, or pastes an API key into a chat "just for a minute",
and you quietly pray nobody commits it.
Secrets sprawl across laptops, repositories, and inboxes, and the only thing holding it together is everyone being careful all the time.
I wanted the opposite: a dev environment that pulls the right secrets on its own, keeps them off disk, and gives every teammate the same setup without anyone passing strings around.
Infisical already solved the "remote secret vault" half of the problem. The missing piece was wiring it into the tool I spin up dozens of times a week, Dev Containers. So I built a Dev Containers feature that does exactly that.
Installation & Configuration
Start by adding the feature to your devcontainer.json:
{
"features": {
"ghcr.io/danzilberdan/devcontainers/infisical:0": {}
}
}On its own, that just installs the Infisical CLI. To have the container pull secrets automatically, point it at a config file and log in on create:
{
"features": {
"ghcr.io/danzilberdan/devcontainers/infisical:0": {
"dotenvFile": "/workspaces/yourproj/.infisical.env"
}
},
"postCreateCommand": "infisical login"
}Then drop a .infisical.env in your workspace telling the CLI which project and environment to pull from:
INFISICAL_PROJECT_ID=your-project-id-here
INFISICAL_ENV=devThese values aren't sensitive, auth happens in the browser through OAuth, MFA, or whichever method you prefer.
Still, adding .infisical.env to .gitignore is a good idea so each teammate can point at their own vault.
Why it's nice
Secrets never land on the filesystem. They arrive as environment variables inside the running container and vanish with it. New teammates get up and running by opening the project; the container handles the rest, and Infisical templates keep everyone's environment in sync without a single Slack DM.
Full instructions live in the GitHub repository.