secret

package
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 20, 2026 License: MIT Imports: 2 Imported by: 0

Documentation

Overview

Package secret holds the canonical secret-env-key predicate shared by every site that filters or redacts environment variables before they reach a child process or an exported config. Keeping ONE list prevents the divergence that let a bare *_KEY (e.g. PRIVATE_KEY) be redacted on one path and leak on another (audit finding B-09).

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ContainsCredentialURL added in v1.0.0

func ContainsCredentialURL(s string) bool

ContainsCredentialURL reports whether s contains a URL/DSN authority with an explicit user:password component, for example postgres://user:pass@host/db.

func IsSecretEnvKey

func IsSecretEnvKey(name string) bool

IsSecretEnvKey reports whether an environment variable name looks sensitive (case-insensitive substring match against secretEnvMarkers). It is a best-effort hygiene denylist, not a security boundary: callers strip or mask matching keys before a child process or an exported profile can observe them.

func IsSecretEnvVar added in v1.0.0

func IsSecretEnvVar(name, value string) bool

IsSecretEnvVar reports whether a key/value pair should be withheld from a child process. It keeps IsSecretEnvKey's broad compatibility behavior while avoiding over-redaction of harmless URL config such as PUBLIC_URL. Credential- bearing URL values are always secret, even when the key name is innocuous.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL