Redacting secret values in the configuration summary

[KevyVo]

Description

This pull request introduces support for redacting secret values in the configuration summary output, particularly when displaying environment variables that are likely to contain sensitive data. The changes add a mechanism to mask secrets in summaries, update the relevant code paths to use this redacted summary when appropriate, and expand test coverage to ensure the new behavior works as intended.

We will now redact on every compose up but not when the user explicitly calls defang config resolve.

While added test case 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 this hex did not pass the secret detector. Turn our we need to set our values to certain format which we chose yaml and slightly lower our entropy from 4 -> 3.7.

Linked Issues

#1920

Checklist

• I have performed a self-review of my code
• I have added appropriate tests
• I have updated the Defang CLI docs and/or README to reflect my changes, if necessary

Summary by CodeRabbit

• New Features

  • Added an option to display redacted configuration previews so sensitive values are masked when enabled.
  • Masking now shows partial trailing characters for secret-like values.

• Bug Fixes / Improvements

  • Secret detection improved by analyzing both variable names and values and refined entropy thresholds.

• Tests

  • Added extensive test cases and golden fixtures covering many redaction scenarios (API keys, creds, DB URLs, empty values, URLs with passwords).

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds redaction support to config-resolution summaries, exposes a redacted public wrapper, switches compose upload to call the redacted variant, changes secret detection to return detector types and tighter rules, updates callers, and adds extensive redaction-focused testdata and tests.

Changes

Cohort / File(s)	Summary
Compose upload change src/pkg/cli/composeUp.go	Replaced call to PrintConfigSummaryAndValidate(...) with PrintRedactedConfigSummaryAndValidate(...).
Config resolution & redaction src/pkg/cli/configResolution.go, src/pkg/cli/configResolution_test.go	Added redact boolean path and maskTrailingConfigValue; introduced public wrappers PrintConfigSummaryAndValidate and PrintRedactedConfigSummaryAndValidate; updated tests to parameterize testdata dirs and add redaction tests.
Secret detection API & rules src/pkg/cli/compose/config_detector.go, src/pkg/cli/compose/config_detector_test.go	Changed IsSecret signature to IsSecret(key, value string) (bool, []string, error) to return detector types; adjusted detector config (yaml transformer, entropy threshold) and added a high-entropy test case.
Validation & callers updated src/pkg/cli/compose/validation.go, src/pkg/cli/migrate/migrate.go	Updated callers to new IsSecret(key, value) signature; logic now branches on returned boolean and surfaces detector types where applicable.
Redaction testdata src/pkg/cli/testdata/redact-config/...	Added comprehensive redaction test scenarios and golden outputs (multiple subdirs: api-keys, cloud-credentials, database-urls, empty-values, high-entropy-strings, mixed-secrets-and-plain, not-secrets, secrets-in-env-file, url-with-password) including .env, compose.yaml, and .golden files.
Config-resolution golden tweaks src/pkg/cli/testdata/config-resolution/...	Adjusted masking length in a few golden files (increasing from ***** to ******) to match new masking behavior.

Sequence Diagram(s)

(Skipped)

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• env vars resolution summary #1728 — Prior changes to config-resolution printing/validation that this PR extends with a redaction-aware wrapper and masking behavior.

Suggested reviewers

• jordanstephens
• lionello
• edwardrf

Poem

🐰 I hop through envs with tiny paws,
Snip tokens down to secret laws.
I mask the tails, keep names in sight,
Whispering secrets out of light.
A rabbit watches, soft and bright.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 26.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately summarizes the main change: adding functionality to redact secret values when displaying the configuration summary.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch kevin/secret

---

No actionable comments were generated in the recent review. 🎉

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@src/pkg/cli/testdata/redact-config/high-entropy-strings/compose.yaml.golden`:
- Around line 4-8: The ENCRYPTION_KEY value is not being redacted even though it
matches the high-entropy and keyword rules used for SESSION_SECRET and
SIGNING_KEY; update the secret-detection/redaction logic so keys containing
"KEY" (e.g., ENCRYPTION_KEY) get the same treatment as keys containing "SECRET"
by ensuring the keyword detector includes "KEY" (case-insensitive) or that the
high_entropy_string detector is applied regardless of key-name branching with
threshold=4, then regenerate the golden so the value becomes 9f86***; check
functions/modules named like high_entropy_string detector and the keyword
detector/whitelist handling where SESSION_SECRET and SIGNING_KEY are matched.

In `@src/pkg/cli/testdata/redact-config/secrets-in-env-file/.env`:
- Around line 1-4: The .env fixture contains realistic-looking secrets
(GITHUB_TOKEN, DATABASE_URL, POSTGRES_PASSWORD, API_SECRET) which will trigger
secret scanners; update the fixture values to clearly synthetic placeholders
that preserve key names and required formats for tests (e.g.,
GITHUB_TOKEN=ghp_FAKE_TOKEN, DATABASE_URL=postgres://user:pass@host:5432/dbname,
POSTGRES_PASSWORD=FAKE_PASSWORD, API_SECRET=FAKE_SECRET) or alternatively ensure
the testdata path is excluded from your secret-scanner config, then run the
redaction tests to confirm they still exercise the same code paths.

🧹 Nitpick comments (1)

src/pkg/cli/configResolution_test.go (1)

53-75: Consider adding defangConfigs cases for redacted tests.

The new TestPrintRedactedConfigResolutionSummary passes nil for defangConfigs (Line 63), while TestPrintConfigResolutionSummary has explicit case-based handling for different test scenarios (Lines 26-37). If the redaction logic should also respect known defang config variables (in addition to pattern-based detection), you may want similar case handling here for completeness.

If passing nil is intentional because redaction relies solely on value/name pattern detection, this is fine as-is.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@src/pkg/cli/configResolution.go`:
- Around line 36-42: The maskTrailingConfigValue function currently exposes
4-character secrets; change the logic so any value with length <= 4 is fully
masked (return configMaskedValue) instead of returning it unmasked, and for
values longer than 4 keep the visible prefix of the first 4 characters but mask
the rest (use strings.Repeat("*", len(value)-4) rather than a fixed 3 stars) to
avoid revealing suffixes—update maskTrailingConfigValue accordingly.