Skip to content

vminitd: Scrub envvars printed in debug log#521

Open
dcantah wants to merge 1 commit intoapple:mainfrom
dcantah:vminitd-log-scrub
Open

vminitd: Scrub envvars printed in debug log#521
dcantah wants to merge 1 commit intoapple:mainfrom
dcantah:vminitd-log-scrub

Conversation

@dcantah
Copy link
Member

@dcantah dcantah commented Feb 7, 2026
edited
Loading

Closes #518

We print the OCI spec at debug level, and this can contain sensitive info in envvars specifically. Lets redact the values in the envvars before we print. I went the route of just redacting everything as trying to check against some "possibly sensitive looking vars" seems rife for never getting it fully right.

This is what the envvars look like after the change: env: ["PATH=<redacted>", "HOME=<redacted>"]

This does make debugging worse, but that's the tradeoff.

@dcantah
vminitd: Scrub envvars printed in debug log
7407b3c 
We print the OCI spec at debug level, and this can contain sensitive
info in envvars specifically. Lets redact the values in the envvars
before we print. I went the route of just redacting everything as
trying to check against some "possibly sensitive looking vars" seems
rife for never getting it fully right.

This is what the envvars look like after the change:
env: ["PATH=<redacted>", "HOME=<redacted>"]

This does make debugging worse, but that's the tradeoff.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: vminitd logs can expose environment variable secrets

1 participant

@dcantah