Too eager sensitive data masking in logs

(Jakub Januszkiewicz) #1

Hi Octopus Support,

I’ve noticed that the sensitive data masking in deployment logs is a bit too eager.
If I have a project called MyProject.Whatever and I define a sensitive variable with value “Whatever” then the log looks like this:

Deploying MyProject.******** into UAT

This is actually the opposite effect than what I’d expect, because it reveals that the sensitive value is “Whatever”.
Can well-known values such as the project name be excluded from the log masking?

(Daniel Fischer) #3

Hi @jakub.januszkiewicz,

Thanks for getting in touch! This behaviour is by design. We try to identify every instance of a sensitive variable and mask it in the logs. The assumption is that any sensitive value you add to Octopus should be regarded as sensitive wherever it can be output for users to read.

We have a small mention of this on our Sensitive Variables documentation page.

Let me know if you have any further thoughts or questions here.

Best regards,
Daniel

(Jakub Januszkiewicz) #4

Thanks for the reply. I understand that this is by design, the “problem” I had was a test environment configuration where one of the sensitive variables was actually a common word, and that word was masked in logs in all places, not only in those where the source of that text was actually the sensitive variable. But given that common words are not normally included in sensitive variables, I agree the current bahaviour is correct.

(system) closed #5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.