How to mask secrets in job/task output

Does Concourse have the ability to mask secrets that may leak into stdout or stderr? I’m finding that various tools (or developers!) might unintentionally dump out environment variables or use “set -x” or enable debugging in some tool that shows passwords and such.

If it doesn’t exist, this would be a nice addition/feature for the corporate environments. We push all logs out to log collectors and really don’t want to have secrets appear.

For our use case, I would define a secret as any value pulled from CredHub (or Vault or whatever secrets manager is being used).


There is no such feature. Maximum you can do today is to use separate Concourse teams (since secrets can be partitioned by team) and not use public: in the pipeline file, prefer fly expose-pipeline (or nothing at all), which still doesn’t solve your problem of the log collectors. On the other hand, this looks a difficult problem. How could Concourse know that a tool or a shell is printing/logging secrets?

I’m wondering if something like could be useful? If it only could be plugged in somewhere in the log pipeline.

Hence the question! :wink:

If I were to be asked about general details, it would be to post-process all log output, replacing any text that was pulled out of the secrets management tool. Not perfect, but it would at least error on the “too much stuff was masked” side.

I don’t know enough about the internals of Concourse to judge the reality of that concept. I didn’t see anything that seemed related, so thought it would be a good ask.

1 Like

I’d like to mention to late readers here, that this feature is now built (but optional) in Concourse since v5.6.0 (Oct. 2019), and stabilized since v5.8.0 (Jan. 2020).