redact

package
v0.1.21 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 27, 2026 License: Apache-2.0 Imports: 4 Imported by: 0

Documentation

Overview

Package redact provides structured redaction for output in CI environments.

When enabled, redaction replaces sensitive information in error messages and logs with placeholder values. This is useful in CI environments where logs may be publicly visible or stored long-term.

Redaction targets actually sensitive data:

  • Bearer tokens and authorization headers
  • JWT/OIDC tokens
  • CI provider tokens (GitHub ghs_/gho_/ghp_, GitLab glpat-/glcbt-, etc.)
  • API keys and secrets in key=value patterns
  • Long base64 strings (likely encoded credentials)

File paths are NOT redacted - they're useful for debugging and rarely secrets.

This package is at the infrastructure layer (Layer 4) so it can be used by both workflow packages (internal/collector, internal/dispatch) and CLI packages.

Usage: 

// Enable redaction (typically via --redact flag or EPACK_REDACT env)
redact.Enable()

// Scan error messages for sensitive patterns
msg := redact.Sensitive("auth failed: Bearer eyJhbG...")
// Returns "auth failed: Bearer [REDACTED]"

// Explicitly mark a value as sensitive
token := os.Getenv("SECRET_TOKEN")
log.Printf("using token: %s", redact.Value(token))
// Returns "using token: [REDACTED]" when enabled

Index

Constants

View Source 
const Placeholder = "[REDACTED]"

Placeholder is the replacement text for redacted values.

Variables

This section is empty.

Functions

func Disable 

func Disable()

Disable turns off redaction globally.

func Enable 

func Enable()

Enable turns on redaction globally.

func Error 

func Error(msg string) string

Error is an alias for Sensitive - scans error messages for secrets.

func IsEnabled 

func IsEnabled() bool

IsEnabled returns whether redaction is currently enabled.

func SanitizeURL 

func SanitizeURL(rawURL string) string

SanitizeURL removes sensitive parts of a URL for safe logging/storage. It removes:

  • Userinfo (user:password@host)
  • Sensitive query parameters (token, key, secret, etc.)

Always sanitizes regardless of redaction setting - URLs with credentials should never be persisted.

func SanitizeURLHost 

func SanitizeURLHost(rawURL string) string

SanitizeURLHost returns only the scheme and host of a URL. This is the safest option for error messages where the full path isn't needed.

func Sensitive 

func Sensitive(s string) string

Sensitive scans a string for patterns that look like secrets and redacts them. This includes:

  • Bearer tokens (preserves "Bearer " prefix)
  • JWT tokens (three-part base64url format)
  • CI provider tokens (GitHub ghs_/gho_/ghp_, GitLab glpat-/glcbt-, etc.)
  • API keys and secrets in key=value patterns
  • Long base64 strings (40+ chars, likely encoded secrets)
  • Sensitive URL query parameters (token, api_key, secret, etc.)

SECURITY: Input is truncated to maxInputLength before scanning to prevent DoS via regex processing on very large inputs. Truncated content is replaced with a marker indicating potential secrets were not fully scanned.

func Value 

func Value(v string) string

Value redacts an explicitly sensitive value. Use this when you know the value is sensitive (e.g., from an env var).

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.