Skip to content

feat: add --redact-secrets to mask sensitive fields by name#271

Open
jongio wants to merge 1 commit into
mainfrom
idea/redact-secrets
Open

feat: add --redact-secrets to mask sensitive fields by name#271
jongio wants to merge 1 commit into
mainfrom
idea/redact-secrets

Conversation

@jongio

@jongio jongio commented Jul 12, 2026

Copy link
Copy Markdown
Owner

What

Adds a --redact-secrets flag that masks any JSON response field whose name looks sensitive, without needing a --redact path for each one.

It matches key names like password, secret, credential, connectionString, sharedAccessKey, accountKey, apiKey, accessToken, sasToken, and similar, at any depth in the response. Matching normalizes the key first (lowercase, non-alphanumeric stripped), so connectionString, connection_string, and connection-string all match the same term. When a key matches, its whole value is replaced with REDACTED.

Why

--redact is precise but needs an exact dotted path per field. When you paste a Key Vault, storage, or resource response into an issue or a log, one stray connection string or account key can leak. --redact-secrets is a fast, path-free guard for that case: turn it on and the obvious secret-shaped fields are masked before anything reaches your terminal or a file.

Behavior

  • Runs alongside --redact. Explicit paths still apply; this adds name-based masking on top.
  • Needs parsed JSON. Raw (--raw-output) and binary output are left unchanged, with a note on stderr unless --silent.
  • The bare words key and token are deliberately not matched on their own, so fields like partitionKey or a CSRF token name are left alone. Matching is substring based, so a term like secret also masks secretName. Use --redact when you need exact control.

Example

azd rest get https://myvault.vault.azure.net/secrets/mysecret?api-version=7.4 --redact-secrets

Tests

  • Unit tests cover sensitive vs non-sensitive keys, nested objects and arrays, whole-subtree masking, case-insensitive matching, number preservation, and invalid JSON pass-through.
  • Execute-level tests confirm a sensitive field is masked in the rendered output and that raw output is left unchanged.

Docs updated in the README and the reference flag table.

Closes #265

Add a --redact-secrets flag that masks any JSON response field whose name
looks sensitive (password, secret, credential, connectionString, accountKey,
sasToken, and similar) at any depth, without needing an explicit --redact path
for each one. Matching normalizes key names so connectionString,
connection_string, and connection-string all match. The whole value of a
matched key is replaced with REDACTED. Runs alongside --redact and needs
parsed JSON, so raw and binary output are left unchanged.

Closes #265

Co-authored-by: Copilot App <[email protected]>
@jongio jongio added the idea Feature idea from the idea pipeline label Jul 12, 2026
@jongio jongio self-assigned this Jul 12, 2026
@github-actions

Copy link
Copy Markdown
Contributor

🚀 Website Preview

Your PR preview is ready!

📎 Preview URL: https://jongio.github.io/azd-rest/pr/271/

This preview will be automatically cleaned up when the PR is closed.

github-actions Bot added a commit that referenced this pull request Jul 12, 2026
@github-actions

Copy link
Copy Markdown
Contributor

🚀 Test This PR

A preview build (0.5.0-pr271) is ready for testing!

One-Line Install (Recommended)

PowerShell (Windows):

iex "& { $(irm https://raw.githubusercontent.com/jongio/azd-rest/main/scripts/install-pr.ps1) } -PrNumber 271 -Version 0.5.0-pr271"

Bash (macOS/Linux):

curl -fsSL https://raw.githubusercontent.com/jongio/azd-rest/main/scripts/install-pr.sh | bash -s 271 0.5.0-pr271

Uninstall

PowerShell (Windows):

iex "& { $(irm https://raw.githubusercontent.com/jongio/azd-rest/main/scripts/uninstall-pr.ps1) } -PrNumber 271"

Bash (macOS/Linux):

curl -fsSL https://raw.githubusercontent.com/jongio/azd-rest/main/scripts/uninstall-pr.sh | bash -s 271

Build Info:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

idea Feature idea from the idea pipeline

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add --redact-secrets to auto-mask common sensitive response fields

1 participant