Masks secrets in your zsh history
Example:
❯ curl -H 'Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5c' https://example.com
❯ curl -u foo:bar https://example.com
❯ curl https://foo:bar@example.com
❯ AWS_SECRET_ACCESS_KEY=key aws s3 ls s3://example
❯ export DB_PASSWORD=foo
❯ history | tail
1 curl -H 'Authorization: ...' https://example.com > /dev/null
2 curl -u ... https://example.com > /dev/null
3 curl https://...@example.com > /dev/null
4 AWS_SECRET_ACCESS_KEY=... aws s3 ls s3://example
5 export DB_PASSWORD=...
ZSH will let you recover the previous command with secrets immediately after execution:
> curl http://username:password@github.com/foo
> # <up-arrow> recovers command with password immediately after execution
> # <up-arrow> recovers masked command here
To exclude any command from history, prefix with a space. It behaves the same as above:
> echo "prefixed with space"
> # available here on <up-arrow>
> # Not available here
Control what secrets are catched by setting the environment variable HISTORY_EXCLUDE_PATTERN
. If the pattern includes a single group, that group is substituted with ...
. The default HISTORY_EXCLUDE_PATTERN
is
❯ echo $HISTORY_EXCLUDE_PATTERN
^ |//([^/]+:[^/]+)@|KEY[=:] *([^ ]+)|TOKEN[=:] *([^ ]+)|BEARER[=:] *([^ ]+)|PASSWO?R?D?[=:] *([^ ]+)|Authorization[=:] *([^'\"]+)|-us?e?r? ([^:]+:[^:]+)
it is not case sensitive
Using Plain zsh
Download zsh-mask.zsh, then add to .zshrc
source /path/to/zsh-mask.zsh
Using Antibody
antibody bundle jgogstad/zsh-mask
Using ZInit
Add the following to .zshrc
zinit light jgogstad/zsh-mask
Using ZPlug
Add the following to .zshrc
zplug 'jgogstad/zsh-mask'
Using Oh My Zsh
git clone https://github.com/jgogstad/zsh-mask ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-mask
Add the following to .zshrc
plugins=(zsh-mask)
Overwrite HISTORY_EXCLUDE_PATTERN
to customize:
❯ export HISTORY_EXCLUDE_PATTERN="^ykchalresp|$HISTORY_EXCLUDE_PATTERN"
The pattern is a regex and it's evaluated with zsh's =~
operator using case insensitive evaluation.