fix: prevent secret variable leaks in summary, verbose and key ordering

- mask secret values in `task --summary` (commands and vars listing)
- mask resolved value of dynamic (sh) secrets in verbose logs
- use masked command for platform-skipped verbose log
- allow `secret` key in any position in a var definition (not only first)
- add `value` to the JSON schema var definition
- skip masking pass when no secret is present and dedup mask helpers
- document that the `secret` flag is not propagated to derived variables
This commit is contained in:
Valentin Maerten
2026-06-29 12:36:56 +02:00
parent 8545e02e5e
commit da90ecd083
12 changed files with 175 additions and 60 deletions

View File

@@ -1636,6 +1636,7 @@ in logs, but is **not a substitute** for proper secret management practices.
- ❌ Secrets visible in process inspection (e.g., `ps aux`)
- ❌ Secrets in shell history
- ❌ Secrets in command output (stdout/stderr)
- ❌ Secret values copied into derived (non-secret) variables
Always use proper secret management tools (HashiCorp Vault, AWS Secrets
Manager, etc.) for production environments.
@@ -1771,6 +1772,40 @@ tasks:
:::
::: warning
**Secrets are not propagated to derived variables.** The `secret` flag only
masks the variable it is set on. A non-secret variable that references a secret
will expose the resolved value in logs:
```yaml
version: '3'
vars:
API_KEY:
value: 'secret-api-key-123'
secret: true
HEADER:
value: 'Bearer {{.API_KEY}}' # ❌ not marked as secret
tasks:
call:
cmds:
- curl -H "{{.HEADER}}" api.example.com
# Logged as: curl -H "Bearer secret-api-key-123" api.example.com (LEAK)
```
Mark every variable that carries a secret value as `secret: true`:
```yaml
vars:
HEADER:
value: 'Bearer {{.API_KEY}}'
secret: true # ✅ masked
```
:::
## Looping over values
Task allows you to loop over certain values and execute a command for each.

View File

@@ -319,6 +319,9 @@
"type": "object",
"description": "The value will be treated as a literal map type and stored in the variable"
},
"value": {
"description": "A literal value assigned to the variable. Useful together with other keys such as 'secret'"
},
"secret": {
"type": "boolean",
"description": "Marks the variable as secret. Secret values will be masked as ***** in command logs to prevent accidental exposure of sensitive information."