Skip to main content

Masking Sensitive Information in Salto for Git Repositories

Mask sensitive data in Salto for secure storage across git platforms

Dan Avigdor avatar
Written by Dan Avigdor
Updated over 2 weeks ago

Salto provides a way to mask sensitive information, such as secrets and authorization tokens, preventing them from being exposed in files generated by Salto and stored in Git repositories. This feature is crucial for safeguarding your sensitive data. By enabling masking, sensitive properties are hidden and replaced with placeholder values, like <SECRET_TOKEN>, ensuring they don’t appear in plain text.

Sensitive information, such as API keys and authorization tokens, can sometimes be included in instances like automation components (e.g., Jira Automation’s “Send web request” actions). Exposing these values within repositories can create security risks if accessed by unauthorized users.

The masking feature allows teams to securely store and share configuration files without revealing secrets, enhancing both security and compliance.

How to Enable Masking

To enable masking of sensitive headers in Salto, Open the configuration file for your Salto setup and add the masking configuration option.

Add automationHeaders with a list of sensitive header keys in Automations you wish to mask.
For example:

masking = {
  automationHeaders = [
    "Authorization"
  ]
}

will replace the Authorization header value with <SECRET_TOKEN>:

Before:

headers = [
  {
    name = "Authorization"
    value = "Ym9zY237Ym9zY28="
    headerSecure = false
  },
]

After:

headers = [
  {
    name = "Authorization"
    value = "<SECRET_TOKEN>"
    headerSecure = false
  },
]

Add secretRegexps with a list of regex matchers for values to mask all across the workspace. For example:

masking = {
  secretRegexps = [
    ".*pass=.*"
  ]
}

will replace any appearance of values containing "pass=" with <SECRET_TOKEN>:
Before:

tokenData = "some data and pass=12345 and more data"

After:

tokenData = "<SECRET_TOKEN>"

Additional Features

Change Validator: Salto includes a change validator that warns when a field containing <SECRET_TOKEN> is about to be deployed, ensuring users are aware of masked fields before deployment.

Post-Deployment Guidance: After deployment, Salto provides guidance on updating the masked fields with actual values in the service.

Using the masking feature allows you to secure sensitive information within your repositories while maintaining functionality and compliance with security protocols.

If you need further assistance, please reach out to the support team.

Did this answer your question?