Skip to content

v0.34.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 18 May 17:51
· 54 commits to main since this release
v0.34.0
4dbaad7
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

New: Query String Scanning

The secrets transform's replace mode no longer scans the URL query string for proxy tokens by default. Query string scanning must now be enabled explicitly with match_query: true, consistent with how match_path already works. Query strings frequently appear in access logs, so this is now opt-in to avoid unintended credential exposure.

# Before (implicit query string scanning)
transforms:
  - name: secrets
    config:
      secrets:
        - source:
            type: env
            var: MAPS_API_KEY
          replace:
            proxy_value: "proxy-maps-token-123"
          rules:
            - host: "maps.googleapis.com"

# After (opt in explicitly)
transforms:
  - name: secrets
    config:
      secrets:
        - source:
            type: env
            var: MAPS_API_KEY
          replace:
            proxy_value: "proxy-maps-token-123"
            match_query: true
          rules:
            - host: "maps.googleapis.com"

This is a breaking config change for existing users who pass proxy tokens via URL query parameters. Add match_query: true to any replace block that needs to swap query string values.

Changelog

  • 4dbaad7 feat(secrets): gate query string scanning behind match_query (#126)
Assets 8
Loading