mirror of
https://github.com/go-task/task.git
synced 2026-07-02 17:08:45 +00:00
fix: prevent secret variable leaks in summary, verbose and key ordering
- mask secret values in `task --summary` (commands and vars listing) - mask resolved value of dynamic (sh) secrets in verbose logs - use masked command for platform-skipped verbose log - allow `secret` key in any position in a var definition (not only first) - add `value` to the JSON schema var definition - skip masking pass when no secret is present and dedup mask helpers - document that the `secret` flag is not propagated to derived variables
This commit is contained in:
@@ -1636,6 +1636,7 @@ in logs, but is **not a substitute** for proper secret management practices.
|
||||
- ❌ Secrets visible in process inspection (e.g., `ps aux`)
|
||||
- ❌ Secrets in shell history
|
||||
- ❌ Secrets in command output (stdout/stderr)
|
||||
- ❌ Secret values copied into derived (non-secret) variables
|
||||
|
||||
Always use proper secret management tools (HashiCorp Vault, AWS Secrets
|
||||
Manager, etc.) for production environments.
|
||||
@@ -1771,6 +1772,40 @@ tasks:
|
||||
|
||||
:::
|
||||
|
||||
::: warning
|
||||
|
||||
**Secrets are not propagated to derived variables.** The `secret` flag only
|
||||
masks the variable it is set on. A non-secret variable that references a secret
|
||||
will expose the resolved value in logs:
|
||||
|
||||
```yaml
|
||||
version: '3'
|
||||
|
||||
vars:
|
||||
API_KEY:
|
||||
value: 'secret-api-key-123'
|
||||
secret: true
|
||||
HEADER:
|
||||
value: 'Bearer {{.API_KEY}}' # ❌ not marked as secret
|
||||
|
||||
tasks:
|
||||
call:
|
||||
cmds:
|
||||
- curl -H "{{.HEADER}}" api.example.com
|
||||
# Logged as: curl -H "Bearer secret-api-key-123" api.example.com (LEAK)
|
||||
```
|
||||
|
||||
Mark every variable that carries a secret value as `secret: true`:
|
||||
|
||||
```yaml
|
||||
vars:
|
||||
HEADER:
|
||||
value: 'Bearer {{.API_KEY}}'
|
||||
secret: true # ✅ masked
|
||||
```
|
||||
|
||||
:::
|
||||
|
||||
## Looping over values
|
||||
|
||||
Task allows you to loop over certain values and execute a command for each.
|
||||
|
||||
@@ -319,6 +319,9 @@
|
||||
"type": "object",
|
||||
"description": "The value will be treated as a literal map type and stored in the variable"
|
||||
},
|
||||
"value": {
|
||||
"description": "A literal value assigned to the variable. Useful together with other keys such as 'secret'"
|
||||
},
|
||||
"secret": {
|
||||
"type": "boolean",
|
||||
"description": "Marks the variable as secret. Secret values will be masked as ***** in command logs to prevent accidental exposure of sensitive information."
|
||||
|
||||
Reference in New Issue
Block a user