In our environment we use Ansible through Jenkins frequently and an ansible-playbook I wrote started exposing secrets that I did not want in Jenkins logs. ansible-playbook outputs real-time status about the deploy but also leaks secrets.
There were two ways I discovered how to filter, censor, or alter sensitive data in Jenkins output.
ansible-playbook | egrep --line-buffered -v 'DEPLOY_TOKEN='
I found this to be the most useful, as you can use regex and replace the text CENSORED so you know a password was there.
ansible-playbook | sed -u -e 's/DEPLOY_TOKEN=(.*)/***CENSORED FROM JENKINS***/g'