fix: update config struct to not decode password/key (#1538)

* fix: update config struct to not decode password/key * test: update tests to confirm no secrets in output Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> --------- Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
anchore · Feb 3, 2023 · 9995950 · 9995950
1 parent b6a496f
commit 9995950
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 2 deletions.
diff --git a/internal/config/attest.go b/internal/config/attest.go
@@ -3,8 +3,9 @@ package config
 import "github.com/spf13/viper"
 
 type attest struct {
-	Key      string `yaml:"key" json:"key" mapstructure:"key"`
-	Password string `yaml:"password" json:"password" mapstructure:"password"`
+	// IMPORTANT: do not show the attestation key/password in any YAML/JSON output (sensitive information)
+	Key      string `yaml:"-" json:"-" mapstructure:"key"`
+	Password string `yaml:"-" json:"-" mapstructure:"password"`
 }
 
 func (cfg attest) loadDefaultValues(v *viper.Viper) {

diff --git a/test/cli/packages_cmd_test.go b/test/cli/packages_cmd_test.go
@@ -229,6 +229,20 @@ func TestPackagesCmdFlags(t *testing.T) {
 				assertSuccessfulReturnCode,
 			},
 		},
+		{
+			name: "password and key not in config output",
+			args: []string{"packages", "-vvv", "-o", "json", coverageImage},
+			env: map[string]string{
+				"SYFT_ATTEST_PASSWORD": "secret_password",
+				"SYFT_ATTEST_KEY":      "secret_key_path",
+			},
+			assertions: []traitAssertion{
+				assertNotInOutput("secret_password"),
+				assertNotInOutput("secret_key_path"),
+				assertPackageCount(34),
+				assertSuccessfulReturnCode,
+			},
+		},
 	}
 
 	for _, test := range tests {