diff --git a/cmd/git-sync/main.go b/cmd/git-sync/main.go
index fb8eda126..5186f68e2 100644
--- a/cmd/git-sync/main.go
+++ b/cmd/git-sync/main.go
@@ -430,7 +430,8 @@ func main() {
 		"uid", os.Getuid(),
 		"gid", os.Getgid(),
 		"home", os.Getenv("HOME"),
-		"args", os.Args)
+		"args", logSafeArgs(os.Args),
+		"env", logSafeEnv(os.Environ()))
 
 	if _, err := exec.LookPath(*flGitCmd); err != nil {
 		log.Error(err, "ERROR: git executable not found", "git", *flGitCmd)
@@ -717,6 +718,43 @@ func main() {
 	}
 }
 
+const redactedString = "<REDACTED>"
+
+// logSafeArgs makes sure any sensitive args (e.g. passwords) are redacted
+// before logging.
+func logSafeArgs(args []string) []string {
+	ret := make([]string, len(args))
+	redact := false
+	for i, arg := range args {
+		if redact {
+			ret[i] = redactedString
+			redact = false
+			continue
+		}
+		if arg == "--password" {
+			redact = true
+		}
+		if strings.HasPrefix(arg, "--password=") {
+			arg = "--password=" + redactedString
+		}
+		ret[i] = arg
+	}
+	return ret
+}
+
+// logSafeEnv makes sure any sensitive env vars (e.g. passwords) are redacted
+// before logging.
+func logSafeEnv(env []string) []string {
+	ret := make([]string, len(env))
+	for i, ev := range env {
+		if strings.HasPrefix(ev, "GIT_SYNC_PASSWORD=") {
+			ev = "GIT_SYNC_PASSWORD=" + redactedString
+		}
+		ret[i] = ev
+	}
+	return ret
+}
+
 func normalizePath(path string) (string, error) {
 	delinked, err := filepath.EvalSymlinks(path)
 	if err != nil {