feat: Add secret masking to step logs

Introduced a new feature to mask sensitive secret values within step
stdout and stderr logs. This enhancement helps to prevent accidental
exposure of sensitive information like passwords and API keys.

When the `enable-secret-masking` feature flag is enabled, the Tekton
entrypoint will collect secret values referenced in environment
variables and volume mounts. These secrets are then base64 encoded and
written to a temporary file. A masking writer is used to intercept and
redact these secrets, replacing them with "***" before they are written
to the logs. An init container is added to the pod to prepare the secret
masking file for the entrypoint.

Signed-off-by: Chmouel Boudjnah <chmouel@redhat.com>

Author: chmouel

cmd/entrypoint/main.go

@@ -56,6 +56,7 @@ var (
 		" Set to \"stopAndFail\" to declare a failure with a step error and stop executing the rest of the steps.")
 	stepMetadataDir        = flag.String("step_metadata_dir", "", "If specified, create directory to store the step metadata e.g. /tekton/steps/<step-name>/")
 	resultExtractionMethod = flag.String("result_from", entrypoint.ResultExtractionMethodTerminationMessage, "The method using which to extract results from tasks. Default is using the termination message.")
+	secretMaskFile         = flag.String("secret_mask_file", "", "If specified, file containing base64-encoded secrets to mask in stdout/stderr (one per line)")
 )
 
 const (
@@ -135,8 +136,9 @@ func main() {
 		TerminationPath: *terminationPath,
 		Waiter:          &realWaiter{waitPollingInterval: defaultWaitPollingInterval, breakpointOnFailure: *breakpointOnFailure},
 		Runner: &realRunner{
-			stdoutPath: *stdoutPath,
-			stderrPath: *stderrPath,
+			stdoutPath:     *stdoutPath,
+			stderrPath:     *stderrPath,
+			secretMaskFile: *secretMaskFile,
 		},
 		PostWriter:             &realPostWriter{},
 		Results:                strings.Split(*results, ","),

cmd/entrypoint/masking_writer.go

@@ -0,0 +1,59 @@
+//go:build !windows
+
+/*
+Copyright 2026 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"bytes"
+	"io"
+)
+
+// maskingWriter wraps an io.Writer and replaces secret values with "***".
+type maskingWriter struct {
+	underlying io.Writer
+	secrets    [][]byte
+}
+
+// newMaskingWriter creates a new writer that masks the given secrets in its output.
+// If no secrets are provided, the underlying writer is returned as-is.
+func newMaskingWriter(w io.Writer, secrets []string) io.Writer {
+	if len(secrets) == 0 {
+		return w
+	}
+	secretBytes := make([][]byte, 0, len(secrets))
+	for _, s := range secrets {
+		if len(s) >= 3 {
+			secretBytes = append(secretBytes, []byte(s))
+		}
+	}
+	if len(secretBytes) == 0 {
+		return w
+	}
+	return &maskingWriter{underlying: w, secrets: secretBytes}
+}
+
+// Write implements io.Writer. It replaces all occurrences of secrets with "***"
+// before writing to the underlying writer.
+func (m *maskingWriter) Write(p []byte) (n int, err error) {
+	masked := p
+	for _, secret := range m.secrets {
+		masked = bytes.ReplaceAll(masked, secret, []byte("***"))
+	}
+	_, err = m.underlying.Write(masked)
+	return len(p), err
+}

cmd/entrypoint/masking_writer_test.go

@@ -0,0 +1,116 @@
+//go:build !windows
+
+/*
+Copyright 2025 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"bytes"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestMaskingWriter(t *testing.T) {
+	testCases := []struct {
+		name     string
+		secrets  []string
+		input    string
+		expected string
+	}{
+		{
+			name:     "no secrets",
+			secrets:  nil,
+			input:    "hello world",
+			expected: "hello world",
+		},
+		{
+			name:     "single secret",
+			secrets:  []string{"password123"},
+			input:    "The password is password123!",
+			expected: "The password is ***!",
+		},
+		{
+			name:     "multiple secrets",
+			secrets:  []string{"secret1", "secret2"},
+			input:    "secret1 and secret2 are here",
+			expected: "*** and *** are here",
+		},
+		{
+			name:     "short secret skipped",
+			secrets:  []string{"ab"},
+			input:    "ab ab ab",
+			expected: "ab ab ab",
+		},
+		{
+			name:     "repeated secret",
+			secrets:  []string{"token"},
+			input:    "token token token",
+			expected: "*** *** ***",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			var buf bytes.Buffer
+			w := newMaskingWriter(&buf, tc.secrets)
+			if _, err := w.Write([]byte(tc.input)); err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if got := buf.String(); got != tc.expected {
+				t.Errorf("got %q, want %q", got, tc.expected)
+			}
+		})
+	}
+}
+
+func TestLoadSecretsForMasking(t *testing.T) {
+	dir := t.TempDir()
+	filePath := filepath.Join(dir, "secrets")
+	content := "c2VjcmV0MQ==\ncGFzc3dvcmQ=\n"
+	if err := os.WriteFile(filePath, []byte(content), 0644); err != nil {
+		t.Fatalf("failed to write test file: %v", err)
+	}
+
+	got, err := loadSecretsForMasking(filePath)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	expected := map[string]bool{"secret1": true, "password": true}
+	for _, s := range got {
+		if !expected[s] {
+			t.Fatalf("unexpected secret: %s", s)
+		}
+		delete(expected, s)
+	}
+	if len(expected) != 0 {
+		t.Fatalf("missing secrets: %v", expected)
+	}
+}
+
+func TestLoadSecretsForMaskingInvalidLine(t *testing.T) {
+	dir := t.TempDir()
+	filePath := filepath.Join(dir, "secrets")
+	if err := os.WriteFile(filePath, []byte("not-base64\n"), 0644); err != nil {
+		t.Fatalf("failed to write test file: %v", err)
+	}
+
+	if _, err := loadSecretsForMasking(filePath); err == nil {
+		t.Fatalf("expected error")
+	}
+}

cmd/entrypoint/runner.go

@@ -19,13 +19,15 @@ package main
 
 import (
 	"context"
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
 	"os"
 	"os/exec"
 	"os/signal"
 	"path/filepath"
+	"strings"
 	"sync"
 	"syscall"
 
@@ -42,10 +44,11 @@ const (
 // realRunner actually runs commands.
 type realRunner struct {
 	sync.Mutex
-	signals       chan os.Signal
-	signalsClosed bool
-	stdoutPath    string
-	stderrPath    string
+	signals        chan os.Signal
+	signalsClosed  bool
+	stdoutPath     string
+	stderrPath     string
+	secretMaskFile string
 }
 
 var _ entrypoint.Runner = (*realRunner)(nil)
@@ -86,6 +89,13 @@ func (rr *realRunner) Run(ctx context.Context, args ...string) error {
 
 	cmd := exec.CommandContext(ctx, name, args...)
 
+	secrets, err := loadSecretsForMasking(rr.secretMaskFile)
+	if err != nil {
+		return err
+	}
+	stdoutBase := newMaskingWriter(os.Stdout, secrets)
+	stderrBase := newMaskingWriter(os.Stderr, secrets)
+
 	// if a standard output file is specified
 	// create the log file and add to the std multi writer
 	if rr.stdoutPath != "" {
@@ -94,19 +104,19 @@ func (rr *realRunner) Run(ctx context.Context, args ...string) error {
 			return err
 		}
 		defer stdout.Close()
-		cmd.Stdout = io.MultiWriter(os.Stdout, stdout)
+		cmd.Stdout = io.MultiWriter(stdoutBase, newMaskingWriter(stdout, secrets))
 	} else {
-		cmd.Stdout = os.Stdout
+		cmd.Stdout = stdoutBase
 	}
 	if rr.stderrPath != "" {
 		stderr, err := newStdLogWriter(rr.stderrPath)
 		if err != nil {
 			return err
 		}
 		defer stderr.Close()
-		cmd.Stderr = io.MultiWriter(os.Stderr, stderr)
+		cmd.Stderr = io.MultiWriter(stderrBase, newMaskingWriter(stderr, secrets))
 	} else {
-		cmd.Stderr = os.Stderr
+		cmd.Stderr = stderrBase
 	}
 
 	// dedicated PID group used to forward signals to
@@ -170,3 +180,28 @@ func newStdLogWriter(path string) (*os.File, error) {
 
 	return f, nil
 }
+
+// loadSecretsForMasking reads base64-encoded secrets from a file (one per line)
+// and returns them as decoded strings.
+func loadSecretsForMasking(filePath string) ([]string, error) {
+	if filePath == "" {
+		return nil, nil
+	}
+	data, err := os.ReadFile(filePath)
+	if err != nil {
+		return nil, err
+	}
+	var secrets []string
+	for i, line := range strings.Split(string(data), "\n") {
+		line = strings.TrimSpace(line)
+		if line == "" {
+			continue
+		}
+		decoded, err := base64.StdEncoding.DecodeString(line)
+		if err != nil {
+			return nil, fmt.Errorf("decode secret mask entry %d: %w", i+1, err)
+		}
+		secrets = append(secrets, string(decoded))
+	}
+	return secrets, nil
+}

cmd/entrypoint/subcommands/secret_mask_init.go

@@ -0,0 +1,42 @@
+/*
+Copyright 2025 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package subcommands
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+)
+
+// SecretMaskInitCommand is the name of the secret mask initialization command
+const SecretMaskInitCommand = "secret-mask-init"
+
+// SecretMaskDataEnvVar is the env var containing secret mask data.
+const SecretMaskDataEnvVar = "TEKTON_SECRET_MASK_DATA"
+
+// secretMaskInit writes the secret mask data to the specified file path.
+func secretMaskInit(filePath string) error {
+	data := os.Getenv(SecretMaskDataEnvVar)
+	if data == "" {
+		return fmt.Errorf("environment variable %s is not set", SecretMaskDataEnvVar)
+	}
+
+	if err := os.MkdirAll(filepath.Dir(filePath), 0755); err != nil {
+		return err
+	}
+	return os.WriteFile(filePath, []byte(data), 0444)
+}

cmd/entrypoint/subcommands/subcommands.go

@@ -92,6 +92,16 @@ func Process(args []string) error {
 			return SubcommandError{subcommand: StepInitCommand, message: err.Error()}
 		}
 		return OK{message: "Setup /step directories"}
+	case SecretMaskInitCommand:
+		// If invoked in "secret-mask-init" mode (`entrypoint secret-mask-init <file-path>`),
+		// write the secret mask data (from environment variable) to the specified file.
+		if len(args) == 2 {
+			filePath := args[1]
+			if err := secretMaskInit(filePath); err != nil {
+				return SubcommandError{subcommand: SecretMaskInitCommand, message: err.Error()}
+			}
+			return OK{message: "Initialized secret mask file"}
+		}
 	default:
 	}
 	return nil

config/config-feature-flags.yaml

@@ -136,3 +136,7 @@ data:
   # If set to "false", exponential backoff will be disabled.
   # For advanced tuning of backoff parameters, update the 'wait-exponential-backoff' ConfigMap.
   enable-wait-exponential-backoff: "false"
+  # Setting this flag to "true" enables masking of secret values in step stdout/stderr.
+  # Secret values from secretKeyRef environment variables and secret volumes will be
+  # replaced with "***" in the logs.
+  enable-secret-masking: "false"

docs/additional-configs.md

@@ -369,7 +369,11 @@ to run in namespaces with `restricted` pod security admission. By default, this
 - `set-security-context-read-only-root-filesystem`: Set this flag to `true` to enable `readOnlyRootFilesystem` in the
   security context for containers injected by Tekton. This makes the root filesystem of the container read-only,
   enhancing security. Note that this requires `set-security-context` to be enabled. By default, this flag is set
-  to `false`. Note: This feature does not work in windows as it is not supported there, [Comparison with linux](https://kubernetes.io/docs/concepts/windows/intro/#compatibility-linux-similarities). 
+  to `false`. Note: This feature does not work in windows as it is not supported there, [Comparison with linux](https://kubernetes.io/docs/concepts/windows/intro/#compatibility-linux-similarities).
+
+- `enable-secret-masking`: Set this flag to `"true"` to enable masking of secret values in step stdout/stderr.
+  Secret values from `secretKeyRef` environment variables and secret volumes will be replaced with `***` in the logs.
+  By default, this is set to `false`. This is an `alpha` feature.
 
 ### Alpha Features
 
@@ -395,6 +399,7 @@ Features currently in "alpha" are:
 | [keep pod on cancel](./taskruns.md#cancelling-a-taskrun)                                                     | N/A                                                                                                                  | [v0.52.0](https://github.com/tektoncd/pipeline/releases/tag/v0.52.0) | `keep-pod-on-cancel`                             |
 | [CEL in WhenExpression](./pipelines.md#use-cel-expression-in-whenexpression)                                                  | [TEP-0145](https://github.com/tektoncd/community/blob/main/teps/0145-cel-in-whenexpression.md)                       | [v0.53.0](https://github.com/tektoncd/pipeline/releases/tag/v0.53.0) | `enable-cel-in-whenexpression`                   |
 | [Param Enum](./taskruns.md#parameter-enums)                                                                  | [TEP-0144](https://github.com/tektoncd/community/blob/main/teps/0144-param-enum.md)                                  | [v0.54.0](https://github.com/tektoncd/pipeline/releases/tag/v0.54.0) | `enable-param-enum`                              |
+| Secret Masking                                                                                               | N/A                                                                                                                  | N/A                                                                  | `enable-secret-masking`                          |
 
 ### Beta Features