Obfuscating encrypted variables in the logs

We use some scripts in the pipeline that require credentials or keys, and we encrypt in Codefresh.

However, when the scripts run, the credentials/keys are exposed in the console logs.

Is there a way to prevent this or turn on a mode where it replaces the encrypted value with “*****”? Then, if we need to see the variable, it would be a click to reveal.

Understandably, this may require another security layer that would allow admins to view this information.

The two ways I can think of to accomplish this would be

  1. Use a separate pipeline that people don’t have access to but you can run from this pipeline with logs off. This would keep the output “blackbox” essentially. There are some downsides here like having a separate volume etc.
  2. Run the step in freestyle mode and manually suppress the output with a pipe to /dev/null
1 Like

Could we treat this as feature, please? Badly needed fwiw. Jenkins can do it automatically, for example, by obfuscating output of what it knows to be secrets… it’s not perfect, but at least something.

1 Like

For sure, it’s a very good feature request, and I’ll check in to see where we can place it in our pipeline. :slight_smile: