feat: add --mask-secrets flag to mask sensitive information

Add a new --mask-secrets flag that automatically masks sensitive
information such as API keys and tokens in the output. Matched
patterns are replaced with asterisks of the same length.

Supported patterns:
- AWS Access Key ID
- GitHub Tokens (ghp_, gho_, ghs_, ghr_)
- GitLab Personal Access Tokens
- Slack Tokens
- JWT Tokens
- Private Key Headers

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

Author: koki-develop

README.md

@@ -67,6 +67,7 @@ Flags:
       --list-formats      print a list of supported output formats
       --list-langs        print a list of supported languages for syntax highlighting
       --list-themes       print a list of supported themes with preview
+      --mask-secrets      mask sensitive information (API keys, tokens)
       --no-resize         do not resize images
   -p, --pretty            whether to format a content pretty
   -M, --render-markdown   render markdown
@@ -93,9 +94,27 @@ See [themes.md](./docs/themes.md) for valid themes.
 
 ### `-p`, `--pretty`
 
-Format a content pretty.  
+Format a content pretty.
 For unsupported languages, this flag is ignored.
 
+### `--mask-secrets`
+
+Mask sensitive information such as API keys and tokens.
+Matched patterns are replaced with `*` characters of the same length.
+
+```console
+$ echo 'AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE' | gat --mask-secrets
+AWS_ACCESS_KEY_ID=********************
+```
+
+Supported patterns:
+- AWS Access Key ID
+- GitHub Tokens (`ghp_`, `gho_`, `ghs_`, `ghr_`)
+- GitLab Personal Access Tokens
+- Slack Tokens
+- JWT Tokens
+- Private Key Headers
+
 ### `-M`, `--render-markdown`
 
 Render markdown documents.  

cmd/flags.go

@@ -36,6 +36,9 @@ var (
 	// --pretty
 	flagPretty bool
 
+	// --mask-secrets
+	flagMaskSecrets bool
+
 	// --list-langs
 	flagListLangs bool
 
@@ -56,6 +59,7 @@ func init() {
 	rootCmd.Flags().BoolVar(&flagNoResize, "no-resize", false, "do not resize images")
 
 	rootCmd.Flags().BoolVarP(&flagPretty, "pretty", "p", false, "whether to format a content pretty")
+	rootCmd.Flags().BoolVar(&flagMaskSecrets, "mask-secrets", false, "mask sensitive information (API keys, tokens)")
 
 	rootCmd.Flags().BoolVar(&flagListLangs, "list-langs", false, "print a list of supported languages for syntax highlighting")
 	rootCmd.Flags().BoolVar(&flagListFormats, "list-formats", false, "print a list of supported output formats")

cmd/root.go

@@ -59,11 +59,11 @@ var rootCmd = &cobra.Command{
 		}
 
 		if len(args) == 0 {
-			return g.Print(os.Stdout, os.Stdin, gat.WithPretty(flagPretty))
+			return g.Print(os.Stdout, os.Stdin, gat.WithPretty(flagPretty), gat.WithMask(flagMaskSecrets))
 		}
 
 		for _, filename := range args {
-			if err := processFile(g, filename, gat.WithPretty(flagPretty), gat.WithFilename(filename)); err != nil {
+			if err := processFile(g, filename, gat.WithPretty(flagPretty), gat.WithMask(flagMaskSecrets), gat.WithFilename(filename)); err != nil {
 				return err
 			}
 		}

internal/gat/gat.go

@@ -17,6 +17,7 @@ import (
 	"github.com/charmbracelet/glamour"
 	"github.com/koki-develop/gat/internal/formatters"
 	"github.com/koki-develop/gat/internal/lexers"
+	"github.com/koki-develop/gat/internal/masker"
 	"github.com/koki-develop/gat/internal/prettier"
 	"github.com/koki-develop/gat/internal/styles"
 	"github.com/mattn/go-sixel"
@@ -76,6 +77,7 @@ func New(cfg *Config) (*Gat, error) {
 
 type printOption struct {
 	Pretty   bool
+	Mask     bool
 	Filename string
 }
 
@@ -93,6 +95,12 @@ func WithFilename(name string) PrintOption {
 	}
 }
 
+func WithMask(m bool) PrintOption {
+	return func(o *printOption) {
+		o.Mask = m
+	}
+}
+
 func (g *Gat) Print(w io.Writer, r io.Reader, opts ...PrintOption) error {
 	// parse options
 	opt := &printOption{}
@@ -187,6 +195,11 @@ func (g *Gat) Print(w io.Writer, r io.Reader, opts ...PrintOption) error {
 		}
 	}
 
+	// mask sensitive information
+	if opt.Mask {
+		src = masker.Mask(src)
+	}
+
 	// print
 	it, err := lexer.Tokenise(nil, src)
 	if err != nil {

internal/masker/masker.go

@@ -0,0 +1,32 @@
+package masker
+
+import (
+	"regexp"
+	"strings"
+)
+
+var patterns = []*regexp.Regexp{
+	// AWS Access Key ID
+	regexp.MustCompile(`AKIA[0-9A-Z]{16}`),
+	// GitHub Tokens (ghp_, gho_, ghs_, ghr_)
+	regexp.MustCompile(`gh[pousr]_[a-zA-Z0-9]{36,}`),
+	// GitLab Personal Access Token
+	regexp.MustCompile(`glpat-[a-zA-Z0-9\-_]{20,}`),
+	// Slack Tokens
+	regexp.MustCompile(`xox[baprs]-[0-9a-zA-Z\-]+`),
+	// JWT Tokens
+	regexp.MustCompile(`eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*`),
+	// Private Key Headers
+	regexp.MustCompile(`-----BEGIN\s+(RSA|DSA|EC|OPENSSH|PGP)\s+PRIVATE\s+KEY-----`),
+}
+
+// Mask replaces sensitive patterns in content with asterisks of the same length
+func Mask(content string) string {
+	result := content
+	for _, p := range patterns {
+		result = p.ReplaceAllStringFunc(result, func(match string) string {
+			return strings.Repeat("*", len(match))
+		})
+	}
+	return result
+}

internal/masker/masker_test.go

@@ -0,0 +1,79 @@
+package masker
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestMask(t *testing.T) {
+	tests := []struct {
+		name  string
+		input string
+		want  string
+	}{
+		{
+			name:  "AWS Access Key",
+			input: "aws_access_key_id = AKIAIOSFODNN7EXAMPLE",
+			want:  "aws_access_key_id = " + strings.Repeat("*", 20),
+		},
+		{
+			name:  "GitHub Personal Access Token",
+			input: "token: ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+			want:  "token: " + strings.Repeat("*", 40),
+		},
+		{
+			name:  "GitHub OAuth Token",
+			input: "GITHUB_TOKEN=gho_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+			want:  "GITHUB_TOKEN=" + strings.Repeat("*", 40),
+		},
+		{
+			name:  "GitLab Personal Access Token",
+			input: "GITLAB_TOKEN=glpat-xxxxxxxxxxxxxxxxxxxx",
+			want:  "GITLAB_TOKEN=" + strings.Repeat("*", 26),
+		},
+		{
+			name:  "Slack Bot Token",
+			input: "SLACK_TOKEN=xoxb-123456789-abcdefgh",
+			want:  "SLACK_TOKEN=" + strings.Repeat("*", 23),
+		},
+		{
+			name:  "JWT Token",
+			input: "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U",
+			want:  "Authorization: Bearer " + strings.Repeat("*", 108),
+		},
+		{
+			name:  "RSA Private Key Header",
+			input: "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA...",
+			want:  strings.Repeat("*", 31) + "\nMIIEpAIBAAKCAQEA...",
+		},
+		{
+			name:  "No sensitive data",
+			input: "const message = 'Hello World'",
+			want:  "const message = 'Hello World'",
+		},
+		{
+			name:  "Multiple secrets",
+			input: "GITHUB=ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nAWS=AKIAIOSFODNN7EXAMPLE",
+			want:  "GITHUB=" + strings.Repeat("*", 40) + "\nAWS=" + strings.Repeat("*", 20),
+		},
+		{
+			name:  "Empty string",
+			input: "",
+			want:  "",
+		},
+		{
+			name:  "Preserves length",
+			input: "KEY=AKIAIOSFODNN7EXAMPLE",
+			want:  "KEY=" + strings.Repeat("*", 20),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := Mask(tt.input)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}