diff --git a/cmd/run.go b/cmd/run.go index 9f2091ed..f6eb3fe5 100644 --- a/cmd/run.go +++ b/cmd/run.go @@ -131,7 +131,13 @@ func runRun(ctx context.Context, ro options.RunOptions, args []string, signers . ro.StepName, witness.RunWithSigners(signers...), witness.RunWithAttestors(attestors), - witness.RunWithAttestationOpts(attestation.WithWorkingDir(ro.WorkingDir), attestation.WithHashes(roHashes)), + witness.RunWithAttestationOpts( + attestation.WithWorkingDir(ro.WorkingDir), + attestation.WithHashes(roHashes), + attestation.WithEnvCapturer( + ro.EnvAddSensitiveKeys, ro.EnvExcludeSensitiveKeys, ro.EnvDisableSensitiveVars, ro.EnvFilterSensitiveVars, + ), + ), witness.RunWithTimestampers(timestampers...), ) if err != nil { diff --git a/options/run.go b/options/run.go index 05e087b9..8311ce03 100644 --- a/options/run.go +++ b/options/run.go @@ -34,6 +34,10 @@ type RunOptions struct { Tracing bool TimestampServers []string AttestorOptSetters map[string][]func(attestation.Attestor) (attestation.Attestor, error) + EnvFilterSensitiveVars bool + EnvDisableSensitiveVars bool + EnvAddSensitiveKeys []string + EnvExcludeSensitiveKeys []string } var RequiredRunFlags = []string{ @@ -57,6 +61,12 @@ func (ro *RunOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVarP(&ro.Tracing, "trace", "r", false, "Enable tracing for the command") cmd.Flags().StringSliceVarP(&ro.TimestampServers, "timestamp-servers", "t", []string{}, "Timestamp Authority Servers to use when signing envelope") + // Environment variables flags + cmd.Flags().BoolVarP(&ro.EnvFilterSensitiveVars, "env-filter-sensitive-vars", "", false, "Switch from obfuscate to filtering variables which removes them from the output completely.") + cmd.Flags().BoolVarP(&ro.EnvDisableSensitiveVars, "env-disable-default-sensitive-vars", "", false, "Disable the default list of sensitive vars and only use the items mentioned by --add-sensitive-key.") + cmd.Flags().StringSliceVar(&ro.EnvAddSensitiveKeys, "env-add-sensitive-key", []string{}, "Add keys or globs (e.g. '*TEXT') to the list of sensitive environment keys.") + cmd.Flags().StringSliceVar(&ro.EnvExcludeSensitiveKeys, "env-exclude-sensitive-key", []string{}, "Exclude specific keys from the list of sensitive environment keys. Note: This does not support globs.") + cmd.MarkFlagsRequiredTogether(RequiredRunFlags...) attestationRegistrations := attestation.RegistrationEntries()