Redaction of sensitive environment variables form uploaded steps

We had an incidnet recently where a sensitive environment variable was interpolated in a buildkite step uploaded by the buildite agent. We are using the log redaction to prevent secrets from ending up in logs. We understand it’s probably difficult to apply redaction on step upload, but would it be possible to have a flag that would attempt to apply the redaction on uploaded steps, and fail the step upload if it detects something sensitive?

Hi @richardstephens!

Welcome to the community! :blush:

Oh no! that’s not good!
We added the functionality of preventing pipeline uploads from including interpolated redacted vars: https://github.com/buildkite/agent/pull/1523

This functionality will be included on the next release that, if everything goes well, it’s scheduled by the end of next week.

Best!