Describe the bug
Summary
I noticed that --verbose prints sensitive authentication data directly
to stdout. In a CI/CD job, this means secrets can end up in build logs.
The verbose dump currently includes things like:
- Keycloak Authorization: Basic ...
- Keycloak access_token response body
- Microcks Authorization: Bearer ...
- SSO access and refresh tokens from login
Impact
This is risky because the CLI is commonly used in pipelines. If someone
enables --verbose while debugging, anyone with access to the job logs
may be able to copy service account credentials or bearer tokens and
reuse them until they expire or are rotated.
Depending on the account permissions, this could allow unauthorized test
execution, artifact imports, or other API actions.
Affected Code
- pkg/config/config.go dumps raw requests and responses without
redaction.
- pkg/connectors/keycloak_client.go dumps Keycloak auth requests and
token responses.
- pkg/connectors/microcks_client.go dumps Microcks requests with
bearer tokens.
- cmd/login.go logs SSO access and refresh tokens directly.
Expected behavior
Verbose logs should be useful for debugging, but secrets should be
redacted before printing.
Actual behavior
Verbose logs expose reusable credentials and tokens.
How to Reproduce?
-
Run a command with --verbose:
microcks import-url https://example.com/openapi.yaml \
--microcksURL=<url> \
--keycloakClientId=<id> \
--keycloakClientSecret=<secret> \
--verbose
-
Check stdout/logs.
-
Sensitive values are printed, including Authorization: Basic ...,
access_token, and Authorization: Bearer ....
Microcks version or git rev
No response
Install method (docker-compose, helm chart, operator, docker-desktop extension,...)
No response
Additional information
No response
Describe the bug
Summary
I noticed that --verbose prints sensitive authentication data directly
to stdout. In a CI/CD job, this means secrets can end up in build logs.
The verbose dump currently includes things like:
Impact
This is risky because the CLI is commonly used in pipelines. If someone
enables --verbose while debugging, anyone with access to the job logs
may be able to copy service account credentials or bearer tokens and
reuse them until they expire or are rotated.
Depending on the account permissions, this could allow unauthorized test
execution, artifact imports, or other API actions.
Affected Code
redaction.
token responses.
bearer tokens.
Expected behavior
Verbose logs should be useful for debugging, but secrets should be
redacted before printing.
Actual behavior
Verbose logs expose reusable credentials and tokens.
How to Reproduce?
Run a command with --verbose:
Check stdout/logs.
Sensitive values are printed, including Authorization: Basic ...,
access_token, and Authorization: Bearer ....
Microcks version or git rev
No response
Install method (
docker-compose,helm chart,operator,docker-desktop extension,...)No response
Additional information
No response