Question: How to handle "sensitive" diff ?

[lukasmrtvy]

Any idea how to handle sensitive values in output ? Its easy to determine sensitive values based on Kind type for Kubernetes for example, but wondering what can be used for docker-compose spec.

Thinking about some argument which can help mask whole environment array/map: ( instead of values, some hash can be outputed ) dyff between docker-compose-old.yaml docker-compose-new.yaml --mask services.*.environment

or mask specific keys: dyff between docker-compose-old.yaml docker-compose-new.yaml --mask services.*.environment.APP_TOKEN --mask services.*.environment.DATABASE_PASSWORD

with file input: dyff between ... --mask-from-file denylist.json

or with regular support: dyff between ... --mask-keys-regex '.*(PASSWORD|TOKEN|CERTIFICATE)'

environments spec in docker-compose can be either map or list, ^ would probably work only for the map variant.

Any ideas?

Thanks

[HeavyWombat]

I could image some auto-detection based on key name plus content. That would make a nice feature. It could be enabled by default and a command-line flag would enable showing redacted credentials.