feat: add --redact-secrets to mask sensitive fields by name#271
Open
jongio wants to merge 1 commit into
Open
Conversation
Add a --redact-secrets flag that masks any JSON response field whose name looks sensitive (password, secret, credential, connectionString, accountKey, sasToken, and similar) at any depth, without needing an explicit --redact path for each one. Matching normalizes key names so connectionString, connection_string, and connection-string all match. The whole value of a matched key is replaced with REDACTED. Runs alongside --redact and needs parsed JSON, so raw and binary output are left unchanged. Closes #265 Co-authored-by: Copilot App <[email protected]>
Contributor
|
🚀 Website Preview Your PR preview is ready! 📎 Preview URL: https://jongio.github.io/azd-rest/pr/271/ This preview will be automatically cleaned up when the PR is closed. |
Contributor
🚀 Test This PRA preview build ( One-Line Install (Recommended)PowerShell (Windows): iex "& { $(irm https://raw.githubusercontent.com/jongio/azd-rest/main/scripts/install-pr.ps1) } -PrNumber 271 -Version 0.5.0-pr271"Bash (macOS/Linux): curl -fsSL https://raw.githubusercontent.com/jongio/azd-rest/main/scripts/install-pr.sh | bash -s 271 0.5.0-pr271UninstallPowerShell (Windows): iex "& { $(irm https://raw.githubusercontent.com/jongio/azd-rest/main/scripts/uninstall-pr.ps1) } -PrNumber 271"Bash (macOS/Linux): curl -fsSL https://raw.githubusercontent.com/jongio/azd-rest/main/scripts/uninstall-pr.sh | bash -s 271Build Info:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a
--redact-secretsflag that masks any JSON response field whose name looks sensitive, without needing a--redactpath for each one.It matches key names like
password,secret,credential,connectionString,sharedAccessKey,accountKey,apiKey,accessToken,sasToken, and similar, at any depth in the response. Matching normalizes the key first (lowercase, non-alphanumeric stripped), soconnectionString,connection_string, andconnection-stringall match the same term. When a key matches, its whole value is replaced withREDACTED.Why
--redactis precise but needs an exact dotted path per field. When you paste a Key Vault, storage, or resource response into an issue or a log, one stray connection string or account key can leak.--redact-secretsis a fast, path-free guard for that case: turn it on and the obvious secret-shaped fields are masked before anything reaches your terminal or a file.Behavior
--redact. Explicit paths still apply; this adds name-based masking on top.--raw-output) and binary output are left unchanged, with a note on stderr unless--silent.keyandtokenare deliberately not matched on their own, so fields likepartitionKeyor a CSRFtokenname are left alone. Matching is substring based, so a term likesecretalso maskssecretName. Use--redactwhen you need exact control.Example
azd rest get https://myvault.vault.azure.net/secrets/mysecret?api-version=7.4 --redact-secretsTests
Docs updated in the README and the reference flag table.
Closes #265