How to censor passwords/secrets from Jenkins logs

cat << EOF | curl -X PUT -d @- uberleet.org

In our environment we use Ansible through Jenkins frequently and an ansible-playbook I wrote started exposing secrets that I did not want in Jenkins logs. ansible-playbook outputs real-time status about the deploy but also leaks secrets.

There were two ways I discovered how to filter, censor, or alter sensitive data in Jenkins output.

Using grep/egrep

ansible-playbook | egrep --line-buffered -v 'DEPLOY_TOKEN='

Using sed

I found this to be the most useful, as you can use regex and replace the text CENSORED or some other indication of where the data went.

ansible-playbook | sed -u -e 's/DEPLOY_TOKEN=(.*)/***CENSORED FROM JENKINS***/g'
EOF

Leave a Reply

Your email address will not be published. Required fields are marked *