{"id":50825526,"url":"https://github.com/rgglez/go-bash-env-redact","last_synced_at":"2026-06-13T18:39:26.409Z","repository":{"id":364197113,"uuid":"1266857576","full_name":"rgglez/go-bash-env-redact","owner":"rgglez","description":"Redact sensitive values in files containing environment variables.","archived":false,"fork":false,"pushed_at":"2026-06-12T03:04:00.000Z","size":31,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-12T04:17:48.763Z","etag":null,"topics":["environment-variables","golang","obscure","privacy-protection","redaction","utility"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rgglez.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-12T02:37:52.000Z","updated_at":"2026-06-12T03:04:03.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/rgglez/go-bash-env-redact","commit_stats":null,"previous_names":["rgglez/go-bash-env-redact"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/rgglez/go-bash-env-redact","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgglez%2Fgo-bash-env-redact","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgglez%2Fgo-bash-env-redact/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgglez%2Fgo-bash-env-redact/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgglez%2Fgo-bash-env-redact/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rgglez","download_url":"https://codeload.github.com/rgglez/go-bash-env-redact/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgglez%2Fgo-bash-env-redact/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34296380,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-13T02:00:06.617Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["environment-variables","golang","obscure","privacy-protection","redaction","utility"],"created_at":"2026-06-13T18:39:25.667Z","updated_at":"2026-06-13T18:39:26.404Z","avatar_url":"https://github.com/rgglez.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# redactenv\n\n[![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)\n[![Go dev](https://pkg.go.dev/badge/github.com/rgglez/go-storage/v5)](https://pkg.go.dev/gitub.com/rgglez/go-bash-env-redact/v5)\n[![Go Report Card](https://goreportcard.com/badge/github.com/rgglez/bash-env-redact/v5)](https://goreportcard.com/report/github.com/rgglez/go-bash-env-redact/v5)\n![GitHub stars](https://img.shields.io/github/stars/rgglez/go-bash-env-redact?style=social)\n![GitHub forks](https://img.shields.io/github/forks/rgglez/go-bash-env-redact?style=social)\n\n*redactenv* reads a bash/`.env`-style file where each line is either:\n\n```bash\nVARIABLE=value\nexport VARIABLE=value\n```\n\nand writes a copy with every sensitive VALUE replaced by a safe placeholder,\nkeeping the structure intact (variable names, comments, quoting style,\nindentation, inline comments, blank lines, etc.).\n\nThe result is safe to paste into a chatbot or send over a messaging app.\n\n## Usage\n\n```bash\nredactenv [flags] \u003cinput\u003e\n```\n\n- `\u003cinput\u003e` — file to read, or `-` for stdin.\n- `-o \u003cfile\u003e` — output file (default: stdout).\n- `--strict` — redact everything, including booleans, numbers and common enums.\n- `--strip-comments` — remove comments (they can contain secrets too).\n- `--keep-private-ips` — do not redact RFC-1918 / loopback addresses.\n- `--keep \u003clist\u003e` — comma-separated variable names to leave untouched.\n- `--force \u003clist\u003e` — comma-separated variable names to always redact.\n\n## Build\n\n### Using Make\n\n| Target | Output | Description |\n|---|---|---|\n| `make` / `make build` | `build/redactenv[.exe]` | Builds for the current OS/arch (auto-detected via `go env`) |\n| `make linux` | `build/redactenv_linux` | Cross-compiles for `linux/amd64` |\n| `make darwin` | `build/redactenv_mac` | Cross-compiles for `darwin/arm64` |\n| `make windows` | `build/redactenv.exe` | Cross-compiles for `windows/amd64` |\n| `make all-platforms` | all three above | Builds for all platforms in one step |\n| `make clean` | — | Removes the `build/` directory |\n\nOverride OS or architecture: `make build GOOS=linux GOARCH=arm64`.\n\n### Manually\n\n```bash\ngo build -o redactenv redactenv.go\n```\n\nCross-compile examples:\n\n```bash\nGOOS=linux   GOARCH=amd64  go build -o redactenv_linux   redactenv.go\nGOOS=darwin  GOARCH=arm64  go build -o redactenv_mac     redactenv.go\nGOOS=windows GOARCH=amd64  go build -o redactenv.exe     redactenv.go\n```\n\n## Installation\n\nMove the resulting executable to your preferred directory. For example:\n\n```bash\nsudo mv build/redactenv /usr/local/bin/\n```\n\n## Architecture\n\nThe program is a single-pass pipeline with six source files, each with a single\nresponsibility:\n\n```\n┌─────────────────────────────────────────────────────────┐\n│                        main.go                          │\n│  Parse flags → read → process each line → write         │\n└───────┬─────────────────────────┬───────────────────────┘\n        │                         │\n        ▼                         ▼\n   ┌──────────┐            ┌─────────────┐\n   │  io.go   │            │  parser.go  │\n   │ readLines│            │ processLine │\n   │writeLines│            │  splitRHS   │\n   └──────────┘            └──────┬──────┘\n                                  │\n                    ┌─────────────┴──────────────┐\n                    ▼                            ▼\n             ┌──────────────┐          ┌──────────────────┐\n             │ classify.go  │          │  anonymiser.go   │\n             │classifyValue │◄─────────│  Anonymiser      │\n             │isSensitiveKey│          │  Redact()        │\n             └──────────────┘          │  placeholder()   │\n                                       └──────────────────┘\n                    ▲                            ▲\n                    └──────────┬─────────────────┘\n                               │\n                   ┌───────────┴──────────┐\n                   │      patterns.go     │\n                   │  sensitivePatterns   │\n                   │  safeTextValues      │\n                   │  boolLiterals        │\n                   └──────────────────────┘\n                               ▲\n                   ┌───────────┴──────────┐\n                   │      regexps.go      │\n                   │  assignmentRE        │\n                   │  emailRE, schemeRE…  │\n                   └──────────────────────┘\n```\n\n### Processing pipeline\n\nFor each line in the input file:\n\n1. **`parser.go` — `processLine`**\n   - Skip or strip pure comment lines (`# …`).\n   - Match the line against `assignmentRE` to extract `indent`, optional\n     `export` keyword, `key`, and `rest`.\n   - Call `splitRHS` to separate the raw value from its quoting style (`\"`, `'`,\n     or unquoted) and any trailing inline comment.\n   - Check the `--keep` / `--force` override lists; otherwise delegate to\n     `Anonymiser.Redact`.\n   - Reconstruct the output line preserving original structure.\n\n2. **`classify.go` — `classifyValue` + `isSensitiveKey`**\n   - `isSensitiveKey` does a case-insensitive substring search of the variable\n     name against `sensitivePatterns` (e.g. `password`, `token`, `key`…).\n   - `classifyValue` probes the value with compiled regexps and `net.ParseIP` to\n     return one of: `empty`, `bool`, `int`, `float`, `email`, `ip`, `url`,\n     `path`, `text`.\n\n3. **`anonymiser.go` — `Anonymiser.Redact`**\n   - If `sensitive=false` and `strict=false`, harmless types (`bool`, `int`,\n     `float`, `safeTextValues`) pass through unchanged.\n   - Otherwise calls `placeholder(sensitive, type, rawValue)`.\n   - A `map[cacheKey]string` cache ensures the same raw value always maps to the\n     same placeholder (consistent substitution across the file).\n   - Type-specific generators produce realistic-looking but safe replacements:\n     RFC 5737 IPs, `@example.com` emails, sanitised URLs that keep scheme and\n     port, paths that keep file extension.\n   - If the generated placeholder contains shell metacharacters and the original\n     was unquoted, double-quotes are added automatically.\n\n4. **`io.go`** — thin I/O layer; supports `-` (stdin/stdout) for pipe-friendly\n   use.\n\n5. **`patterns.go` / `regexps.go`** — static data and pre-compiled regexps, kept\n   separate to make the heuristic lists easy to audit and extend.\n\n## Value detection strategy\n\nEach value is classified by type (bool, integer, float, email, IP, URL, path,\nplain text) and replaced by a placeholder of the same type so the redacted file\nstill conveys enough context to be useful:\n\n- A variable whose **name** suggests a secret (`PASSWORD`, `TOKEN`, `KEY`,\n  `SECRET`, `JWT`, …) is always redacted as `REDACTED_N`, regardless of the\n  value.\n- Emails become `userN@example.com`.\n- IPv4 addresses become addresses from `203.0.113.0/24` (RFC 5737 documentation\n  range). IPv6 becomes `2001:db8::` (RFC 3849).\n- URLs keep their scheme and port but the host/path/credentials/query are\n  replaced.\n- Filesystem paths keep their extension.\n- Repeated identical values always map to the same placeholder (consistent\n  substitution), so relationships between variables are preserved.\n\nIn non-strict mode, boolean literals, numbers, and common configuration enums\n(`production`, `debug`, `info`, …) are left as-is because they carry no personal\ninformation.\n\n### Limitations\n\n* Sensitive pattern detection is based on English variable names only.\n\n## License\n\nCopyright (C) 2026 Rodolfo González González.\n\nReleased under the\n[GNU General Public License v3.0](https://www.gnu.org/licenses/gpl-3.0.html).\nPlease read the [LICENSE](LICENSE) file.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frgglez%2Fgo-bash-env-redact","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frgglez%2Fgo-bash-env-redact","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frgglez%2Fgo-bash-env-redact/lists"}