feat: Redact env secrets from output and logs#20691
Conversation
| for _, v := range env { | ||
| parts := strings.SplitN(v, "=", 2) | ||
| if len(parts) == 2 && len(parts[1]) > 0 { | ||
| s.secrets[parts[1]] = parts[0] |
There was a problem hiding this comment.
Should we consider adding some ignore logic here, to prevent replacing shorter, day to day (1, yes, 17...) env vars that could be in regular, useful logs? Anything that's less than maybe 4 chars (maybe more?) shouldn't be considered a secret, maybe? Would still redact things like user, root, true and false...
There was a problem hiding this comment.
Yeah this is one downside to the current approach. Env vars with values that may appear in legitimate logs would be redacted, e.g. if the value is test or any of the ones you mentioned. Not sure how to exclude these because legitimate secrets might also be short.
There was a problem hiding this comment.
At least they are only used on cfg.Environment, so shouldn't pose much of a problem. Not all of env is being redacted, only if it starts with __KIND_PLUGINNAME__... so we can be sure the env vars were intended for the plugin itself anyway.
There was a problem hiding this comment.
As I mentioned in the comment below, that should prevent these usecases since users would not have a reason for setting non-secrets as sync environment variables.
#20691 (comment)
|
Since it's mostly internal usecases that require secret redaction (general usage of the CLI does not require that), I think the better option would be toggling this sort of behaviour opt-in, trough configuration (probably an environment variable is the best choice). |
Technically this is already opt-in through the |
|
Ah ok I missed that it's already behind CQ_CLOUD. If that's the case then it should be good to go. |
🤖 I have created a release *beep* *boop* --- ## [6.19.0](cli-v6.18.2...cli-v6.19.0) (2025-05-06) ### Features * Redact env secrets from output and logs ([#20691](#20691)) ([a913f10](a913f10)) ### Bug Fixes * **deps:** Update module github.com/cloudquery/plugin-sdk/v4 to v4.79.1 ([#20692](#20692)) ([50f909e](50f909e)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
This adds functionality to redact secrets (aka environment variables) in cloud sync environments. This redacts them in the logs and in the output of all the CLI commands.