Skip to main content

Environment Attestor

Warning! Environment variables can contain SENSITIVE data that should not be shown. Review variables in your environment and use the --env-add-sensitive-key to exclude them from the capture if they are not covered by the default sensitive vars.

The Environment Attestor records the OS, hostname, username, and all environment variables set at execution time. The default mode is running in obfuscation mode that will capture all variables but it will obfuscate any variable that is in the sensitive vars list.

Filter instead of obfuscate

When you use --env-filter-sensitive-vars it will remove sensitive vars completely from the list.

Adding additional sensitive keys

If you want to add keys to the sensitive list, either specific or with a glob, you can use --env-add-sensitive-key 'FOO' for FOO or --env-add-sensitive-key 'FOO*' to also capture a variable like FOO_BAR.

Explicitly allow sensitive key

There could be cases where you really want to have a specific key that is part of the default sensitive vars list to be captured. You can do so by using the --env-allow-sensitive-key.

Default sensitive vars

The attestor has a default sensitive vars list. You can find the list in the code base here.

Schema

{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$ref": "#/$defs/Attestor",
"$defs": {
"Attestor": {
"properties": {
"os": {
"type": "string"
},
"hostname": {
"type": "string"
},
"username": {
"type": "string"
},
"variables": {
"additionalProperties": {
"type": "string"
},
"type": "object"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"os",
"hostname",
"username"
]
}
}
}