Skip to content

Sanitize credentials in Docker command logs #419

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lpcox merged 2 commits into from
Jan 22, 2026
Merged

Sanitize credentials in Docker command logs #419

lpcox merged 2 commits into from
Jan 22, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 22, 2026
edited
Loading

Docker environment variables containing secrets (e.g., GITHUB_PERSONAL_ACCESS_TOKEN=ghp_xxx...) were being logged in plaintext when launching MCP backend servers.

Changes

  • Added SanitizeArgs() function (internal/logger/sanitize/sanitize.go)

    • Detects -e VAR=VALUE patterns in Docker args
    • Truncates values using existing TruncateSecret() (shows first 4 chars + "...")
    • Preserves non-env-var arguments unchanged

  • Updated logging statements to sanitize args before output:

    • internal/launcher/launcher.go: 4 locations (GetOrLaunch, GetOrLaunchForSession)
    • internal/mcp/connection.go: 5 locations (NewConnection, startup, error paths)

  • Test coverage: 13 test cases including dedicated leak detection test

Example

Before:

[INFO] [backend] args=[run -e GITHUB_PERSONAL_ACCESS_TOKEN=ghp_1234567890123456789012345678901234567890 ...]

After:

[INFO] [backend] args=[run -e GITHUB_PERSONAL_ACCESS_TOKEN=ghp_... ...]

Variable names remain visible for debugging while values are safely truncated.

Warning

GitHub's Secret Scanning detected potential secrets in the added content. We attempted to remediate the issue by updating the code or redacting.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • this-host-does-not-exist-12345.com
    • Triggering command: /tmp/go-build3753664088/b278/mcp.test /tmp/go-build3753664088/b278/mcp.test -test.testlogfile=/tmp/go-build3753664088/b278/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true -c=4 -nolocalimports -importcfg /tmp/go-build3753664088/b243/importcfg -pack /home/REDACTED/go/pkg/mod/github.com/modelcontextprotocol/go-sdk@v1.1.0/internal/util/util.go 64/pkg/include ortc�� 64/src/runtime/cgo 64/src/weak/doc.go ache/go/1.25.5/x64/pkg/tool/linu-o pull.rebase (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@lpcox
Add SanitizeArgs function and sanitize credentials in logs
8c4fbad 
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix credential leakage in launch command logs Sanitize credentials in Docker command logs Jan 22, 2026
Copilot AI requested a review from lpcox January 22, 2026 04:28
@lpcox lpcox marked this pull request as ready for review January 22, 2026 04:30
@lpcox lpcox merged commit 981ead8 into main Jan 22, 2026
3 checks passed
@lpcox lpcox deleted the copilot/sanitize-logs-for-credentials branch January 22, 2026 04:30
This was referenced Jan 22, 2026
Closed
Closed
Closed
Copilot AI mentioned this pull request Jan 22, 2026
Closed
9 tasks
This was referenced Jan 22, 2026
Closed
Closed
This was referenced Jan 22, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lpcox lpcox Awaiting requested review from lpcox

Assignees

@lpcox lpcox

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lpcox