secrets

package
v0.5.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 23, 2026 License: Apache-2.0 Imports: 1 Imported by: 0

Documentation

Overview

Package secrets masks sensitive environment-variable values so they don't leak from the inspect panel (screenshots, screen-shares) or to an AI model over MCP. Masking is policy applied above the docker layer, which always returns raw env; callers decide what the viewer is allowed to see.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func IsSensitive 

func IsSensitive(key, value string) bool

IsSensitive reports whether an env entry should be treated as a secret, by the variable name or by the shape of its value.

func MaskCommand added in v0.4.2 

func MaskCommand(cmd string, mode Mode) string

MaskCommand masks credential-looking tokens inside a container's command line, leaving the rest readable: a `--flag=value` / `KEY=value` whose name or value is sensitive, or a bare token that looks like a credential (sk-…, JWT, long token). A command is mostly non-secret, so only detected tokens are masked; "off" disables it. Heuristic — combined forms like `-psecret` aren't caught.

func MaskEnv 

func MaskEnv(env []string, mode Mode) []string

MaskEnv returns a copy of env ("KEY=VALUE" entries) with values masked per mode. Entries without an '=' are passed through unchanged.

func MaskLabels added in v0.4.2 

func MaskLabels(labels map[string]string, mode Mode) map[string]string

MaskLabels masks only label values that look sensitive (by name or value shape). Unlike env, label sets are mostly metadata (compose project, image version), so "all" is not applied wholesale — that would gut the inspect view.

func MaskValue 

func MaskValue(v string) string

MaskValue returns the placeholder for a non-empty value (empty stays empty — there's nothing to hide).

Types

type Mode 

type Mode string

Mode is how container env values are masked. 

const (
	MaskAll       Mode = "all"       // mask every value (default)
	MaskSensitive Mode = "sensitive" // mask only values that look like secrets
	MaskOff       Mode = "off"       // no masking
)

func ParseMode 

func ParseMode(s string) Mode

ParseMode maps a settings string to a Mode, defaulting to MaskAll.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.