From e27070a4f50336395dfe1e598d3c9637b1b1bfd1 Mon Sep 17 00:00:00 2001
From: Christopher Phillips <christopher.phillips@anchore.com>
Date: Fri, 3 Feb 2023 12:34:30 -0500
Subject: [PATCH 1/3] fix: update config struct to not decode password/key

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
---
 internal/config/attest.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/internal/config/attest.go b/internal/config/attest.go
index f0493d7bfce..11bbbcdfc08 100644
--- a/internal/config/attest.go
+++ b/internal/config/attest.go
@@ -3,8 +3,8 @@ package config
 import "github.com/spf13/viper"
 
 type attest struct {
-	Key      string `yaml:"key" json:"key" mapstructure:"key"`
-	Password string `yaml:"password" json:"password" mapstructure:"password"`
+	Key      string `yaml:"-" json:"-" mapstructure:"key"`
+	Password string `yaml:"-" json:"-" mapstructure:"password"`
 }
 
 func (cfg attest) loadDefaultValues(v *viper.Viper) {

From ad75b8ce4d043ecf992f232db301246f5076f131 Mon Sep 17 00:00:00 2001
From: Christopher Phillips <christopher.phillips@anchore.com>
Date: Fri, 3 Feb 2023 12:47:32 -0500
Subject: [PATCH 2/3] test: update tests to confirm no secrets in output

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
---
 test/cli/packages_cmd_test.go | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/test/cli/packages_cmd_test.go b/test/cli/packages_cmd_test.go
index 6a768dcdb20..20ec9fa7e41 100644
--- a/test/cli/packages_cmd_test.go
+++ b/test/cli/packages_cmd_test.go
@@ -229,6 +229,20 @@ func TestPackagesCmdFlags(t *testing.T) {
 				assertSuccessfulReturnCode,
 			},
 		},
+		{
+			name: "password and key not in config output",
+			args: []string{"packages", "-vvv", "-o", "json", coverageImage},
+			env: map[string]string{
+				"SYFT_ATTEST_PASSWORD": "secret_password",
+				"SYFT_ATTEST_KEY":      "secret_key_path",
+			},
+			assertions: []traitAssertion{
+				assertNotInOutput("secret_password"),
+				assertNotInOutput("secret_key_path"),
+				assertPackageCount(34),
+				assertSuccessfulReturnCode,
+			},
+		},
 	}
 
 	for _, test := range tests {

From 31341b7e9d651ed9805c8f7d274a198113d7dd96 Mon Sep 17 00:00:00 2001
From: Christopher Phillips <christopher.phillips@anchore.com>
Date: Fri, 3 Feb 2023 12:59:26 -0500
Subject: [PATCH 3/3] chore: add comments

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
---
 internal/config/attest.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/internal/config/attest.go b/internal/config/attest.go
index 11bbbcdfc08..659c7d3ed7f 100644
--- a/internal/config/attest.go
+++ b/internal/config/attest.go
@@ -3,6 +3,7 @@ package config
 import "github.com/spf13/viper"
 
 type attest struct {
+	// IMPORTANT: do not show the attestation key/password in any YAML/JSON output (sensitive information)
 	Key      string `yaml:"-" json:"-" mapstructure:"key"`
 	Password string `yaml:"-" json:"-" mapstructure:"password"`
 }