File tree Expand file tree Collapse file tree 1 file changed +8
-0
lines changed
Expand file tree Collapse file tree 1 file changed +8
-0
lines changed Original file line number Diff line number Diff line change @@ -101,6 +101,13 @@ jobs:
101101 # Mask Terraform variables
102102 echo "::add-mask::${{ vars.TF_VARS_FILE }}"
103103
104+ # Mask any PEM-encoded certificate blocks (public certs)
105+ grep -Poz '(?s)-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----' tfplan.txt | while read -r cert_block; do
106+ if [ -n "$cert_block" ]; then
107+ echo "::add-mask::$cert_block"
108+ fi
109+ done || echo "No PEM certificates found to mask."
110+
104111 # Output the sanitized plan to logs
105112 cat plan_output.txt
106113
@@ -125,6 +132,7 @@ jobs:
125132 PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's/[0-9]{12}/[REDACTED_AWS_ACCOUNT_ID]/g')
126133 PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#https://[a-zA-Z0-9.-]+\.lambda\.amazonaws\.com/[a-zA-Z0-9/._-]+#[REDACTED_LAMBDA_URL]#g')
127134 PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*#[REDACTED_API_GATEWAY_URL]#g')
135+ PLAN_FULL=$(echo "$PLAN_FULL" | sed -E '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/s/.*/[REDACTED_PEM_CERT]/')
128136
129137 echo "PLAN<<EOF" >> $GITHUB_ENV
130138 echo "${PLAN_FULL::$LENGTH}" >> $GITHUB_ENV
You can’t perform that action at this time.
0 commit comments