diff --git a/internal/config/attest.go b/internal/config/attest.go
index f0493d7bfce..659c7d3ed7f 100644
--- a/internal/config/attest.go
+++ b/internal/config/attest.go
@@ -3,8 +3,9 @@ package config
 import "github.com/spf13/viper"
 
 type attest struct {
-	Key      string `yaml:"key" json:"key" mapstructure:"key"`
-	Password string `yaml:"password" json:"password" mapstructure:"password"`
+	// IMPORTANT: do not show the attestation key/password in any YAML/JSON output (sensitive information)
+	Key      string `yaml:"-" json:"-" mapstructure:"key"`
+	Password string `yaml:"-" json:"-" mapstructure:"password"`
 }
 
 func (cfg attest) loadDefaultValues(v *viper.Viper) {
diff --git a/test/cli/packages_cmd_test.go b/test/cli/packages_cmd_test.go
index 6a768dcdb20..20ec9fa7e41 100644
--- a/test/cli/packages_cmd_test.go
+++ b/test/cli/packages_cmd_test.go
@@ -229,6 +229,20 @@ func TestPackagesCmdFlags(t *testing.T) {
 				assertSuccessfulReturnCode,
 			},
 		},
+		{
+			name: "password and key not in config output",
+			args: []string{"packages", "-vvv", "-o", "json", coverageImage},
+			env: map[string]string{
+				"SYFT_ATTEST_PASSWORD": "secret_password",
+				"SYFT_ATTEST_KEY":      "secret_key_path",
+			},
+			assertions: []traitAssertion{
+				assertNotInOutput("secret_password"),
+				assertNotInOutput("secret_key_path"),
+				assertPackageCount(34),
+				assertSuccessfulReturnCode,
+			},
+		},
 	}
 
 	for _, test := range tests {