Obfuscating encrypted variables in the logs

evanx9 · October 18, 2019, 12:56pm

We use some scripts in the pipeline that require credentials or keys, and we encrypt in Codefresh.

However, when the scripts run, the credentials/keys are exposed in the console logs.

Is there a way to prevent this or turn on a mode where it replaces the encrypted value with “*****”? Then, if we need to see the variable, it would be a click to reveal.

Understandably, this may require another security layer that would allow admins to view this information.

todaywasawesome · October 22, 2019, 4:12pm

The two ways I can think of to accomplish this would be

Use a separate pipeline that people don’t have access to but you can run from this pipeline with logs off. This would keep the output “blackbox” essentially. There are some downsides here like having a separate volume etc.
Run the step in freestyle mode and manually suppress the output with a pipe to /dev/null

michal · October 22, 2019, 4:19pm

Could we treat this as feature, please? Badly needed fwiw. Jenkins can do it automatically, for example, by obfuscating output of what it knows to be secrets… it’s not perfect, but at least something.

kristofer · October 22, 2019, 4:28pm

For sure, it’s a very good feature request, and I’ll check in to see where we can place it in our pipeline.

todaywasawesome · July 20, 2020, 4:52pm

Automatic secret masking came out in May and I totally missed it! Check it out Variables · Codefresh | Docs

Topic		Replies	Views
Codefresh variables should be always available Suggestions	6	2087	October 4, 2021
How to set default values for pipeline variables? Pipeline workflows	3	880	July 12, 2022
Support for pipeline text field inputs? Pipeline workflows	6	1294	June 30, 2023
YAML variables aren't interpolated in `cmd` values Bugs	1	321	January 11, 2023
Custom name for each build run Pipeline workflows	3	545	September 27, 2023

Obfuscating encrypted variables in the logs

Related Topics