Skip to content

redactor add: Add optional filtering like env vars #3605

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
DrJosh9000 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

redactor add: Add optional filtering like env vars #3605

DrJosh9000 wants to merge 1 commit into from
+107 −32

Conversation

@DrJosh9000
Copy link
Contributor

@DrJosh9000 DrJosh9000 commented Dec 3, 2025
edited
Loading

Description

Adds an --apply-vars-filter flag to the redactor add subcommand, that enables the same filtering as normally happens for filtering env vars for secrets.

Context

Relevant to #3588

Changes

  • Adds --apply-vars-filter as described above, and the common --redact-vars flag.
  • Updates the tests

Two small cleanups:

  • JSON decoding should be able to work with a pointer to a map - the pointer to a pointer to a map should be unnecessary!
  • Reordered the unknown format flag so it reads unknown format "foo" rather than foo: unknown format

Testing

  • Tests have run locally (with go test ./...). Buildkite employees may check this if the pipeline has run automatically.
  • Code is formatted (with go tool gofumpt -extra -w .)

Disclosures / Credits

I did it my way

@DrJosh9000 DrJosh9000 requested a review from a team December 3, 2025 02:57
zhming0
zhming0 approved these changes Jan 7, 2026
View reviewed changes
Copy link
Contributor

@zhming0 zhming0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, looks useful 👍🏿

clicommand/redactor_add.go
},
cli.BoolFlag{
Name: "apply-vars-filter",
Usage: fmt.Sprintf("When the input is in 'json' format, filters the secrets to redact using the same rules used to detect secrets from environment variables: secrets must be at least %d characters long, and names must match the patterns defined by --redacted-vars or $BUILDKITE_REDACTED_VARS.", redact.LengthMin),
Copy link
Contributor

@zhming0 zhming0 Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Coming from an angle of not famlilar with agent redactor mechanism, I don't think I understand this feature without the code. Maybe we can use some touch up on the doc here, something alone the line of:

"By default, all values in the JSON will be redacted. When apply-vars-filter is true, only ... gets redacted".

But it's not a blocker.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zhming0 zhming0 zhming0 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DrJosh9000 @zhming0