fix: update config struct to not decode password/key (#1538)

* fix: update config struct to not decode password/key * test: update tests to confirm no secrets in output Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> --------- Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2026-02-13 11:06:43 +01:00 · 2023-02-03 13:06:14 -05:00 · 2023-02-03 13:06:14 -05:00 · 9995950c70
commit 9995950c70
parent b6a496f18c
2 changed files with 17 additions and 2 deletions
--- a/internal/config/attest.go
+++ b/internal/config/attest.go
@ -3,8 +3,9 @@ package config
 import "github.com/spf13/viper"
 type attest struct {
-	Key      string `yaml:"key" json:"key" mapstructure:"key"`
+	// IMPORTANT: do not show the attestation key/password in any YAML/JSON output (sensitive information)
-	Password string `yaml:"password" json:"password" mapstructure:"password"`
+	Key      string `yaml:"-" json:"-" mapstructure:"key"`
 	Password string `yaml:"-" json:"-" mapstructure:"password"`
 }
 func (cfg attest) loadDefaultValues(v *viper.Viper) {
--- a/test/cli/packages_cmd_test.go
+++ b/test/cli/packages_cmd_test.go
@ -229,6 +229,20 @@ func TestPackagesCmdFlags(t *testing.T) {
 				assertSuccessfulReturnCode,
 			},
 		},
 		{
 			name: "password and key not in config output",
 			args: []string{"packages", "-vvv", "-o", "json", coverageImage},
 			env: map[string]string{
 				"SYFT_ATTEST_PASSWORD": "secret_password",
 				"SYFT_ATTEST_KEY":      "secret_key_path",
 			},
 			assertions: []traitAssertion{
 				assertNotInOutput("secret_password"),
 				assertNotInOutput("secret_key_path"),
 				assertPackageCount(34),
 				assertSuccessfulReturnCode,
 			},
 		},
 	}
 	for _, test := range tests {