secrets

package
v0.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 26, 2026 License: Apache-2.0 Imports: 1 Imported by: 0

Documentation

Overview

Package secrets masks sensitive environment-variable values so they don't leak from the inspect panel (screenshots, screen-shares) or to an AI model over MCP. Masking is policy applied above the docker layer, which always returns raw env; callers decide what the viewer is allowed to see.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func IsSensitive 

func IsSensitive(key, value string) bool

IsSensitive reports whether an env entry should be treated as a secret, by the variable name or by the shape of its value.

func MaskCommand added in v0.4.2 

func MaskCommand(cmd string, mode Mode) string

MaskCommand masks credential-looking tokens inside a container's command line, leaving the rest readable: a `--flag=value` / `KEY=value` whose name or value is sensitive, or a bare token that looks like a credential (sk-…, JWT, long token). A command is mostly non-secret, so only detected tokens are masked; "off" disables it. Heuristic, combined forms like `-psecret` aren't caught.

func MaskEnv 

func MaskEnv(env []string, mode Mode) []string

MaskEnv returns a copy of env ("KEY=VALUE" entries) with values masked per mode. Entries without an '=' are passed through unchanged.

func MaskLabels added in v0.4.2 

func MaskLabels(labels map[string]string, mode Mode) map[string]string

MaskLabels masks only label values that look sensitive (by name or value shape). Unlike env, label sets are mostly metadata (compose project, image version), so "all" is not applied wholesale, that would gut the inspect view.

func MaskLine added in v0.8.0 

func MaskLine(line string, mode Mode) string

MaskLine redacts secret-shaped tokens from a single free-form log line, leaving the rest readable. A log line has no fixed structure, so unlike env (KEY=VALUE) this is best-effort: it masks `KEY=secret` / `--flag=secret` pairs, `password: secret` / `"token":"secret"` labelled values, `Authorization: Bearer <token>` headers, credentialed connection strings, and bare tokens that match a known secret shape (sk-…, JWT, long high-entropy runs). Benign content (level=info, environment=production) is left intact so the line stays useful to a viewer or an AI client.

MaskOff is a pass-through. MaskSensitive and MaskAll behave identically here: a log line can't be masked "wholesale" without destroying it, so there is no all-values mode. The masking is applied to the value tokens by literal replacement, preserving the line's original spacing.

func MaskValue 

func MaskValue(v string) string

MaskValue returns the placeholder for a non-empty value (empty stays empty, there's nothing to hide).

Types

type Mode 

type Mode string

Mode is how container env values are masked. 

const (
	MaskAll       Mode = "all"       // mask every value (default)
	MaskSensitive Mode = "sensitive" // mask only values that look like secrets
	MaskOff       Mode = "off"       // no masking
)

func ParseLogMode added in v0.8.0 

func ParseLogMode(s string) Mode

ParseLogMode maps a settings string to a log-masking Mode. Logs are free-form and default to MaskSensitive (best-effort secret redaction); only an explicit "off" disables it. There is no all-values mode, masking a whole log line wholesale would destroy it. The MCP/agent path floors this to MaskSensitive regardless, so an automated client can never set logs to "off".

func ParseMode 

func ParseMode(s string) Mode

ParseMode maps a settings string to a Mode, defaulting to MaskAll.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.