k6
k6 copied to clipboard
grafana
Mask secrets in debug output
Feature Description
Obfuscate or remove secrets in debug output, eg: the Api-Key value below has been replaced with ************:
time="2024-04-25T07:51:56Z" level=info msg="Request:\nPUT /collections/k6-load-test HTTP/1.1\nHost: myapp\nUser-Agent: k6/0.50.0 (https://k6.io/)\nContent-Length: 94\nApi-Key: ************\nContent-Type: application/json\nAccept-Encoding: gzip\n\n{\"vectors\":{\"size\":1536,\"distance\":\"Dot\"},\"replication_factor\":3,\"write_consistency_factor\":3}\n" group="::setup" iter=0 request_id=05651186-bbe5-41e0-7480-fa0a63214ecd source=http-debug vu=0
Suggested Solution (optional)
The easiest solution is probably to have a flag that disables outputting headers (which are the most likely location of secrets, tokens, api keys, cookies etc.) A more advanced solution could detect and mask based on high entropy.
Already existing or connected issues / PRs (optional)
No response
Honestly, it sounds like something unlikely to be developed in the current k6/http module directly from the k6 core team. At the moment the demand is not so high to justify the complexity it would bring to the API.
If you plan to contribute, we might consider it and discuss together an API.
One of the possible directions to solve the issue/need is to create the custom logrus hook that will keep the list of the secrets (+ maybe golang API to manage it). That hook will process and masks the secrets in logs
