New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: redact secrets when logging #552
Comments
Well, we already have such feature: use env: $.env.GITHUB_TOKEN = 'ghs_xxxxxxxxx';
await $`curl --silent https://api.github.com/organizations -H "Authorization: Bearer $GITHUB_TOKEN"`; |
Ahh yeah, that would work for shell commands! I'm not sure why I assumed zx would do variable interpolation instead of letting the shell handle it. Is this something that could be expanded to other places, such as fetch requests? |
For fetch we need to add support. |
@antonmedv Can I work on this? |
Sure 馃憣馃徎 |
I can't use env variable, since the requests are sent by Octokit:
somehow zx dumps outgoing http requests, including headers, to the console. |
Current Behavior
If we make a call with a secret, it will be printed to stdout.
note: I'm only including shell examples for brevity, but this applies to most zx logging 馃檪
If we wanted to go one step further, there could also be a
$.redact(text: string)
methodExample:
Requested Behavior
It would be cool if we could either redact or replace secrets.
For example, with blanket redaction:
Or with contextual redaction:
Steps to Reproduce the Problem
covered in
Current Behavior
sectionSpecifications
The text was updated successfully, but these errors were encountered: