Secrets Scrubbing

If a task references a secret, Mint will attempt to remove its value from any logs or artifacts produced by the run.

Specifically, Mint will do the following:

  • If a sequence of bytes in the logs matches a secret value, the sequence will be replaced with asterisks (*******). Note that the length of these asterisks is static. A shorter or longer secret value will not change the content of your logs.

  • Secrets in artifacts (such as task outputs) are replaced with a reference to them. For example, if Mint finds the value of a secret called "example", it is being rewritten as ${{ secrets.example }}. Tasks that later use these artifacts will resolve the secret reference again.

Limitations

Please note that Mint will only match secret values against their plain-text representation. If the secret value is encoded in a different format, Mint will not be able to remove it.

A side effect of this is that it's possible to leak the existence of very generic secrets. For example, if you define a secret for the value echo, Mint filters any mentions of echo in its logs or artifacts.