Skip to content

feat: adds flag secret #185

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sodagunz wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: adds flag secret #185

sodagunz wants to merge 1 commit into from

Conversation

@sodagunz
Copy link

@sodagunz sodagunz commented Oct 9, 2025
edited
Loading

While it might be different from it's original intent, in practice, veil is used mostly for two different use cases:

  • Preventing personally identifiable information from being leaked
  • Preventing credentials from being leaked by accidentally logging them

While PII in debug settings is likely to be meaningless and safe to display as plaintext, credentials are best kept always redacted.

This PR introduces a way to mark fields as "secret", meaning credentials, keys, or otherwise security (as opposed to privacy) sensitive fields. It does so by introducing the #[redact(secret)] marker.

Marking a field as "secret" makes it so that it will never be unredacted, regardless of global config. It also makes it so that it's fully redacted, instead of doing it for alphanumeric characters only.

I think we should consider making this the default behavior in future releases, but of course that would be a major breaking change.

@sodagunz sodagunz requested a review from cpiemontese October 9, 2025 09:32
@sodagunz sodagunz force-pushed the redact-always branch 3 times, most recently from 0163e31 to af449fb Compare October 9, 2025 09:52
@sodagunz sodagunz changed the title feat: adds flag always feat: adds flag secret Oct 9, 2025
@sodagunz sodagunz marked this pull request as ready for review October 9, 2025 14:28
@sodagunz sodagunz requested a review from a team as a code owner October 9, 2025 14:28
@sodagunz sodagunz marked this pull request as draft October 9, 2025 15:22
@sodagunz sodagunz marked this pull request as ready for review October 9, 2025 15:27
@sodagunz
Copy link
Author

sodagunz commented Oct 9, 2025

Sorry for the force pushes, GH was degraded and I was trying to understand what was going on.

@sodagunz sodagunz force-pushed the redact-always branch 2 times, most recently from f2dec55 to c8ed47b Compare October 9, 2025 15:32
cpiemontese
cpiemontese reviewed Oct 13, 2025
View reviewed changes
Copy link
Contributor

@cpiemontese cpiemontese left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR, we will understand if and how to proceed with this feature in veil and will take this approach in consideration

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cpiemontese cpiemontese cpiemontese left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sodagunz @cpiemontese