Skip to content

security: redact secret patterns from CLI log and error output #664

New issue
New issue
Open
#672
Open
security: redact secret patterns from CLI log and error output#664
#672
Assignees
cv
Labels
priority: highImportant issue that should be resolved in the next releasesecuritySomething isn't secure
@ericksoa

Description

@ericksoa
ericksoa
opened on Mar 22, 2026

Summary

Runner error messages and verbose CLI output can leak API keys and other secrets when commands fail. Add auto-redaction of known secret patterns (nvapi-*, bearer tokens, etc.) from all CLI output.

Identified during review of #390.

Scope

  • Add a redact() helper to bin/lib/runner.js that masks known secret patterns
  • Apply to all run() and runCapture() error output
  • Apply to any verbose/debug logging that includes command strings
  • Tests: verify known patterns are masked, verify non-secret strings are untouched

Metadata

Metadata

Assignees

Labels

priority: highImportant issue that should be resolved in the next releasesecuritySomething isn't secure

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions