Skip to content

Scrub [Secret] values from all log output (plugin-SDK prerequisite) #443

Description

@ChrisonSimtian

Problem

[Secret] (src/Fallout.Build/ParameterAttribute.cs:76) is a passive marker only — there is no SensitiveValueRegistry or output scrubber anywhere, so resolved secret values are never masked from logs. docs/adr/0002-cross-provider-auth-and-secret-conventions.md rule 6 ("log masking is a framework-level service") flags this as open; the plugin SDK makes it blocking.

Outcome

Values resolved into [Secret]-marked fields never appear in any build output — framework or plugin — so a third-party plugin cannot leak a resolved secret to CI logs.

Acceptance criteria

  • A central SensitiveValueRegistry (or equiv) registers every value injected into a [Secret] field, at injection time (value-injection middleware / IOnBuildCreated).
  • Logging middleware scrubs registered values from stdout, stderr, target logs, and the build summary before write.
  • Scrubbing covers plugin-emitted output, not only framework output.
  • Test: a secret written via Log, Console, or target output does not appear in captured output.

Notes

Open questions

  • How to handle transformed secrets a plugin derives (base64, URL-embedded) — scrub only the literal, or registered variants too?

Metadata

Metadata

Assignees

No one assigned

    Labels

    Fields

    No fields configured for Feature.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions