Currently, dagger redacts secrets while forwarding buildkit events to the logger.
It works great to strip away secrets leaked by the CUE layer (e.g. #Exec & { command: "echo secret: $(cat /secret)" } shows up as secret: ***), however it doesn't strip away secrets leaked by Dagger itself in Go.
It's currently implemented in Client.logSolveStatus() (the goroutine that bridges buildkit events to the logger), which uses an internal secureSprintf function to strip away secrets.
An alternative would be to move this logic into a zerolog hook if possible: https://github.com/rs/zerolog#hooks
Currently, dagger redacts secrets while forwarding buildkit events to the logger.
It works great to strip away secrets leaked by the CUE layer (e.g.
#Exec & { command: "echo secret: $(cat /secret)" }shows up assecret: ***), however it doesn't strip away secrets leaked by Dagger itself in Go.It's currently implemented in
Client.logSolveStatus()(the goroutine that bridges buildkit events to the logger), which uses an internalsecureSprintffunction to strip away secrets.An alternative would be to move this logic into a
zerologhook if possible: https://github.com/rs/zerolog#hooks