Skip to main content
All CollectionsSalto for JiraGuides
Masking Sensitive Information in Salto for Git Repositories
Masking Sensitive Information in Salto for Git Repositories

Mask sensitive data in Salto for secure storage across git platforms

Dan Avigdor avatar
Written by Dan Avigdor
Updated over a month ago

Overview and Purpose of Salto’s Masking Feature

Salto provides a way to mask sensitive information, such as secrets and authorization tokens, preventing them from being exposed in files generated by Salto and stored in Git repositories. This feature is crucial for safeguarding data that may be accessed by cybersecurity teams or during code scans. By configuring masking, sensitive properties are hidden and replaced with placeholder values, like <SECRET_TOKEN>, ensuring they don’t appear in plain text.

Sensitive information, such as API keys and authorization tokens, can sometimes be included in configuration files or automation processes (e.g., Jira Automation’s “Send web request” actions). Exposing these values within repositories can create security risks if accessed by unauthorized users or scanned by cybersecurity tools. The masking feature was created to allow teams to securely store and share configuration files without revealing secrets, enhancing both security and compliance.

How to Enable Masking

To enable masking of sensitive headers in Salto, follow these steps:

1. Edit Your Config File: Open the configuration file for your Salto setup and add the masking snippet.

2. Add Sensitive Headers to Mask: Use the automationHeaders list to specify which headers you want to mask. For example:

masking = {
  automationHeaders = [
    "Authorization"
  ]
}

In this case, the "Authorization" header will be masked, replacing its value with <SECRET_TOKEN>.

3. Mask Other Fields Using Regular Expressions: If you need to mask other fields, add them to the secretRegexps list using regular expressions to identify the data. This allows you to mask any field that matches a specific pattern.

4. Example of Masked Header:

Once configured, sensitive headers will appear as follows:

headers = [
  {
    id = "_header_1730023761987"
    name = "Authorization"
    value = "<SECRET_TOKEN>"
    headerSecure = false
  },
]

Additional Features

Change Validator: Salto includes a change validator that warns when a field containing <SECRET_TOKEN> is about to be deployed, ensuring users are aware of masked fields before deployment.

Post-Deployment Guidance: After deployment, Salto provides guidance on updating the masked fields with actual values in the service.

Using the masking feature allows you to secure sensitive information within your repositories while maintaining functionality and compliance with security protocols.

If you need further assistance, please reach out to the support team.

Did this answer your question?