Documentation
¶
Overview ¶
Package sanitizer wraps output streams with secret masking. It composes phrasestream layers to provide:
- Pre-known secret phrases supplied at construction.
- GitLab token-prefix masking (e.g. "glpat-XXX" -> "[MASKED]"), with a configurable prefix list defaulting to DefaultTokenPrefixes.
- URL-parameter value masking for a hardcoded set of credential- bearing query keys (e.g. "?private_token=XXX" -> "?private_token=[MASKED]").
- Runtime secret registration via the GitHub-style ::add-mask:: workflow command. Secrets registered on any wrapped stream are masked across all of them.
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var DefaultTokenPrefixes = []string{
"glpat-",
"gloas-",
"gldt-",
"glrt-",
"glrtr-",
"glcbt-",
"glptt-",
"glft-",
"glimt-",
"glagent-",
"glwt-",
"_gitlab_session=",
"glsoat-",
"glffct-",
"gltok-",
}
DefaultTokenPrefixes are the GitLab-issued token prefixes Step Runner scrubs by default. See https://docs.gitlab.com/security/tokens/#token-prefixes. Callers can override via Config.TokenPrefixes.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
// Phrases are pre-known secrets. Each phrase (and a handful of common
// encodings — base64, URL-, JSON-, XML-escaped, etc.) is registered as
// a mask target on every wrapped stream.
Phrases []string
// TokenPrefixes overrides DefaultTokenPrefixes when non-nil. An
// explicit empty slice disables token-prefix masking entirely.
TokenPrefixes []string
}
Config configures a Sanitizer.
type Sanitizer ¶
type Sanitizer struct {
// contains filtered or unexported fields
}
Sanitizer wraps output streams, masking secrets registered at construction (Config.Phrases) and at runtime (::add-mask:: directive) from every wrapped stream.
Source Files
Click to show internal directories.
Click to hide internal directories.