Skip to content

fix(security): sanitize secrets in debug logs #124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
aviadshiber merged 1 commit into from
Jan 28, 2026
Merged

fix(security): sanitize secrets in debug logs #124

aviadshiber merged 1 commit into from
Jan 28, 2026
+298 −10

Conversation

@aviadshiber
Copy link
Owner

@aviadshiber aviadshiber commented Jan 28, 2026

Summary

  • Fix security issue where debug logs were exposing sensitive environment variables (API keys, tokens, passwords) when KAPSIS_DEBUG was enabled
  • Add comprehensive sanitize_secrets() function to mask sensitive values in log output
  • Update log_cmd(), log_enter(), and log_var() to automatically sanitize their output
  • Add fallback sanitization in entrypoint.sh when logging.sh is not available

Changes

File Change
scripts/lib/logging.sh Add secret sanitization functions and update logging utilities
scripts/launch-agent.sh Fix container command debug log to use sanitization
scripts/entrypoint.sh Add fallback sanitization when logging.sh unavailable
tests/test-logging.sh Add 10 new tests for secret sanitization

Patterns Masked

Variables containing these keywords (case-insensitive) are now masked:

  • KEY, TOKEN, SECRET, PASSWORD, CREDENTIALS
  • AUTH, BEARER, API_KEY, PRIVATE

Example

Before:

[DEBUG] Container command: podman run -e API_KEY=supersecret123 -e GITHUB_TOKEN=ghp_abc ...

After:

[DEBUG] Container command: podman run -e API_KEY=***MASKED*** -e GITHUB_TOKEN=***MASKED*** ...

Test plan

  • All 39 logging tests pass (including 10 new secret sanitization tests)
  • Verified sanitize_secrets() correctly masks sensitive patterns
  • Verified non-sensitive variables are preserved
  • Manual test with KAPSIS_DEBUG=1 to verify no secrets leak

🤖 Generated with Claude Code

@aviadsTaboola @claude
fix(security): sanitize secrets in debug logs
09f358a 
Debug logging was exposing sensitive environment variables (API keys,
tokens, passwords) when KAPSIS_DEBUG was enabled. This fix adds
comprehensive secret sanitization:

- Add sanitize_secrets() function to logging.sh that masks values of
  variables containing KEY, TOKEN, SECRET, PASSWORD, CREDENTIALS,
  AUTH, BEARER, API_KEY, or PRIVATE (case-insensitive)
- Update log_cmd(), log_enter(), and log_var() to sanitize output
- Fix container command debug log in launch-agent.sh
- Add fallback sanitization in entrypoint.sh when logging.sh unavailable
- Add 10 new tests for secret sanitization functionality

Before: [DEBUG] Container command: podman run -e API_KEY=secret123 ...
After:  [DEBUG] Container command: podman run -e API_KEY=***MASKED*** ...

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@aviadshiber aviadshiber merged commit 57ccfde into main Jan 28, 2026
11 checks passed
@aviadshiber aviadshiber deleted the fix/secret-sanitization-in-logs branch January 28, 2026 09:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aviadshiber @aviadsTaboola