fix: update config struct to not decode password/key (#1538)

* fix: update config struct to not decode password/key * test: update tests to confirm no secrets in output Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> --------- Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2026-02-12 02:26:42 +01:00 · 2023-02-03 13:06:14 -05:00 · 2023-02-03 13:06:14 -05:00 · 9995950c70
commit 9995950c70
parent b6a496f18c
2 changed files with 17 additions and 2 deletions
--- a/internal/config/attest.go
+++ b/internal/config/attest.go
@ -3,8 +3,9 @@ package config
 import "github.com/spf13/viper"

 type attest struct {
-	Key      string `yaml:"key" json:"key" mapstructure:"key"`
-	Password string `yaml:"password" json:"password" mapstructure:"password"`
+	// IMPORTANT: do not show the attestation key/password in any YAML/JSON output (sensitive information)
+	Key      string `yaml:"-" json:"-" mapstructure:"key"`
+	Password string `yaml:"-" json:"-" mapstructure:"password"`
 }

 func (cfg attest) loadDefaultValues(v *viper.Viper) {
--- a/test/cli/packages_cmd_test.go
+++ b/test/cli/packages_cmd_test.go
@ -229,6 +229,20 @@ func TestPackagesCmdFlags(t *testing.T) {
 				assertSuccessfulReturnCode,
 			},
 		},
+		{
+			name: "password and key not in config output",
+			args: []string{"packages", "-vvv", "-o", "json", coverageImage},
+			env: map[string]string{
+				"SYFT_ATTEST_PASSWORD": "secret_password",
+				"SYFT_ATTEST_KEY":      "secret_key_path",
+			},
+			assertions: []traitAssertion{
+				assertNotInOutput("secret_password"),
+				assertNotInOutput("secret_key_path"),
+				assertPackageCount(34),
+				assertSuccessfulReturnCode,
+			},
+		},
 	}

 	for _, test := range tests {