All Topics
All Topics
Technology
Technology
Design
Design
Programming
Programming
Science
Science
News
News
Gaming
Gaming
Entertainment
Entertainment
Business
Business
Finance
Finance
Sports
Sports
Health
Health
Food
Food
Travel
Travel
Art
Art
Music
Music
Books
Books
Education
Education
Politics
Politics
Personal
Personal
No algorithm. No AI slop. No ads. Just RSS. Pro-human. Indie writers. Real journalism. Open web. Chronological. Hand toasted.

Keeping Secrets Out of Logs: A Defense-in-Depth Approach

By

xk3

8mo ago· 31 min readenInsight
Bagel score 100 of 100
100/100
Golden Brown
Bagelometer

Pure flour-power. Hearty enough to carry you through lunch.

Score100TypeanalysisSentimentneutral

Summary

This article discusses strategies for preventing sensitive data (secrets, credentials, PII) from being written to application logs. The author argues there is no single silver bullet solution, but rather a combination of layered approaches ("lead bullets") that can significantly reduce the risk. Based on a talk given at LocoMocoSec 2024, the post covers practical techniques such as structured logging, log scrubbing, detection and alerting, developer education, and tooling to catch secrets before they reach log output. The emphasis is on defense-in-depth rather than relying on any one fix.

Key quotes

· 3 pulled
There's no silver bullet, but if we put some 'lead' bullets in the right places, we have a good shot at keeping sensitive data out of logs.
This post is about how to keep secrets out of logs, and my claim is that (like many things in security) there isn't a singular action or silver bullet that lets you do this.
I would go so far as to say that there's not even an 80/20 rule, where one action gets you 80% of the way there.
Snippet from the RSS feed
There's no silver bullet, but if we put some "lead" bullets in the right places, we have a good shot at keeping sensitive data out of logs.

You might also wanna read

Composer vulnerability leaks GitHub Actions GITHUB_TOKEN in logs due to format mismatch

A security vulnerability has been identified where Composer leaks the full contents of GitHub OAuth tokens (specifically GITHUB_TOKEN) to st

github.com·19d ago

Copy-Fail-Destroyer: A Kubernetes DaemonSet Agent for Detecting and Remediating Linux Kernel CVE-2026-31431

A Kubernetes DaemonSet agent called "copy-fail-destroyer" that detects and remediates CVE-2026-31431 ("Copy Fail"), a Linux kernel vulnerabi

github.com·1mo ago

Layerleak: Docker Hub Secret Scanner Tool Documentation

Layerleak is a Docker Hub secret scanner tool that detects sensitive information in Docker images. The article provides technical documentat

github.com·2mo ago

FIPS Compliance Challenges in Containerized Applications: Why Base Images Aren't Enough

The article discusses the challenges of achieving FIPS (Federal Information Processing Standards) compliance in containerized applications,

docker.com·4mo ago

lockenv: Password-Based Encrypted Vault for .env and Infrastructure Secrets

lockenv is a simple, password-based encrypted vault tool for securely storing sensitive files like .env files and infrastructure secrets in

github.com·5mo ago

Kekkai: A Go-Based File Integrity Monitoring Tool for Security Protection

Kekkai is a lightweight Go tool designed for file integrity monitoring that detects unauthorized file modifications by comparing content-bas

github.com·8mo ago