Mask secrets (#1382)

2025-01-18 05:18:24 +02:00 · 2020-04-16 14:37:45 +02:00 · 2020-04-16 14:37:45 +02:00 · ce4be51362
commit ce4be51362
parent 4061881b53
39 changed files with 233 additions and 25 deletions
--- a/cmd/abapEnvironmentPullGitRepo_generated.go
+++ b/cmd/abapEnvironmentPullGitRepo_generated.go
@ -44,7 +44,13 @@ Please provide either of the following options:
 			startTime = time.Now()
 			log.SetStepName("abapEnvironmentPullGitRepo")
 			log.SetVerbose(GeneralConfig.Verbose)
-			return PrepareConfig(cmd, &metadata, "abapEnvironmentPullGitRepo", &stepConfig, config.OpenPiperFile)
+			err := PrepareConfig(cmd, &metadata, "abapEnvironmentPullGitRepo", &stepConfig, config.OpenPiperFile)
+			if err != nil {
+				return err
+			}
+			log.RegisterSecret(stepConfig.Username)
+			log.RegisterSecret(stepConfig.Password)
+			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			telemetryData := telemetry.CustomData{}
--- a/cmd/artifactPrepareVersion_generated.go
+++ b/cmd/artifactPrepareVersion_generated.go
@ -140,7 +140,13 @@ Define ` + "`" + `buildTool: custom` + "`" + `, ` + "`" + `filePath: <path to yo
 			startTime = time.Now()
 			log.SetStepName("artifactPrepareVersion")
 			log.SetVerbose(GeneralConfig.Verbose)
-			return PrepareConfig(cmd, &metadata, "artifactPrepareVersion", &stepConfig, config.OpenPiperFile)
+			err := PrepareConfig(cmd, &metadata, "artifactPrepareVersion", &stepConfig, config.OpenPiperFile)
+			if err != nil {
+				return err
+			}
+			log.RegisterSecret(stepConfig.Password)
+			log.RegisterSecret(stepConfig.Username)
+			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			telemetryData := telemetry.CustomData{}
--- a/cmd/checkmarxExecuteScan_generated.go
+++ b/cmd/checkmarxExecuteScan_generated.go
@ -182,7 +182,13 @@ thresholds instead of ` + "`" + `percentage` + "`" + ` whereas we strongly recom
 			startTime = time.Now()
 			log.SetStepName("checkmarxExecuteScan")
 			log.SetVerbose(GeneralConfig.Verbose)
-			return PrepareConfig(cmd, &metadata, "checkmarxExecuteScan", &stepConfig, config.OpenPiperFile)
+			err := PrepareConfig(cmd, &metadata, "checkmarxExecuteScan", &stepConfig, config.OpenPiperFile)
+			if err != nil {
+				return err
+			}
+			log.RegisterSecret(stepConfig.Password)
+			log.RegisterSecret(stepConfig.Username)
+			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			telemetryData := telemetry.CustomData{}
--- a/cmd/cloudFoundryCreateServiceKey_generated.go
+++ b/cmd/cloudFoundryCreateServiceKey_generated.go
@ -38,7 +38,13 @@ func CloudFoundryCreateServiceKeyCommand() *cobra.Command {
 			startTime = time.Now()
 			log.SetStepName("cloudFoundryCreateServiceKey")
 			log.SetVerbose(GeneralConfig.Verbose)
-			return PrepareConfig(cmd, &metadata, "cloudFoundryCreateServiceKey", &stepConfig, config.OpenPiperFile)
+			err := PrepareConfig(cmd, &metadata, "cloudFoundryCreateServiceKey", &stepConfig, config.OpenPiperFile)
+			if err != nil {
+				return err
+			}
+			log.RegisterSecret(stepConfig.Username)
+			log.RegisterSecret(stepConfig.Password)
+			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			telemetryData := telemetry.CustomData{}
--- a/cmd/cloudFoundryDeleteService_generated.go
+++ b/cmd/cloudFoundryDeleteService_generated.go
@ -37,7 +37,13 @@ func CloudFoundryDeleteServiceCommand() *cobra.Command {
 			startTime = time.Now()
 			log.SetStepName("cloudFoundryDeleteService")
 			log.SetVerbose(GeneralConfig.Verbose)
-			return PrepareConfig(cmd, &metadata, "cloudFoundryDeleteService", &stepConfig, config.OpenPiperFile)
+			err := PrepareConfig(cmd, &metadata, "cloudFoundryDeleteService", &stepConfig, config.OpenPiperFile)
+			if err != nil {
+				return err
+			}
+			log.RegisterSecret(stepConfig.Username)
+			log.RegisterSecret(stepConfig.Password)
+			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			telemetryData := telemetry.CustomData{}
--- a/cmd/detectExecuteScan_generated.go
+++ b/cmd/detectExecuteScan_generated.go
@ -38,7 +38,12 @@ func DetectExecuteScanCommand() *cobra.Command {
 			startTime = time.Now()
 			log.SetStepName("detectExecuteScan")
 			log.SetVerbose(GeneralConfig.Verbose)
-			return PrepareConfig(cmd, &metadata, "detectExecuteScan", &stepConfig, config.OpenPiperFile)
+			err := PrepareConfig(cmd, &metadata, "detectExecuteScan", &stepConfig, config.OpenPiperFile)
+			if err != nil {
+				return err
+			}
+			log.RegisterSecret(stepConfig.APIToken)
+			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			telemetryData := telemetry.CustomData{}
--- a/cmd/githubCreatePullRequest_generated.go
+++ b/cmd/githubCreatePullRequest_generated.go
@ -43,7 +43,12 @@ It can for example be used for GitOps scenarios or for scenarios where you want
 			startTime = time.Now()
 			log.SetStepName("githubCreatePullRequest")
 			log.SetVerbose(GeneralConfig.Verbose)
-			return PrepareConfig(cmd, &metadata, "githubCreatePullRequest", &stepConfig, config.OpenPiperFile)
+			err := PrepareConfig(cmd, &metadata, "githubCreatePullRequest", &stepConfig, config.OpenPiperFile)
+			if err != nil {
+				return err
+			}
+			log.RegisterSecret(stepConfig.Token)
+			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			telemetryData := telemetry.CustomData{}
--- a/cmd/githubPublishRelease_generated.go
+++ b/cmd/githubPublishRelease_generated.go
@ -53,7 +53,12 @@ The result looks like
 			startTime = time.Now()
 			log.SetStepName("githubPublishRelease")
 			log.SetVerbose(GeneralConfig.Verbose)
-			return PrepareConfig(cmd, &metadata, "githubPublishRelease", &stepConfig, config.OpenPiperFile)
+			err := PrepareConfig(cmd, &metadata, "githubPublishRelease", &stepConfig, config.OpenPiperFile)
+			if err != nil {
+				return err
+			}
+			log.RegisterSecret(stepConfig.Token)
+			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			telemetryData := telemetry.CustomData{}
--- a/cmd/karmaExecuteTests_generated.go
+++ b/cmd/karmaExecuteTests_generated.go
@ -42,7 +42,11 @@ In the Docker network, the containers can be referenced by the values provided i
 			startTime = time.Now()
 			log.SetStepName("karmaExecuteTests")
 			log.SetVerbose(GeneralConfig.Verbose)
-			return PrepareConfig(cmd, &metadata, "karmaExecuteTests", &stepConfig, config.OpenPiperFile)
+			err := PrepareConfig(cmd, &metadata, "karmaExecuteTests", &stepConfig, config.OpenPiperFile)
+			if err != nil {
+				return err
+			}
+			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			telemetryData := telemetry.CustomData{}
--- a/cmd/kubernetesDeploy_generated.go
+++ b/cmd/kubernetesDeploy_generated.go
@ -66,7 +66,15 @@ helm upgrade <deploymentName> <chartPath> --install --force --namespace <namespa
 			startTime = time.Now()
 			log.SetStepName("kubernetesDeploy")
 			log.SetVerbose(GeneralConfig.Verbose)
-			return PrepareConfig(cmd, &metadata, "kubernetesDeploy", &stepConfig, config.OpenPiperFile)
+			err := PrepareConfig(cmd, &metadata, "kubernetesDeploy", &stepConfig, config.OpenPiperFile)
+			if err != nil {
+				return err
+			}
+			log.RegisterSecret(stepConfig.ContainerRegistryPassword)
+			log.RegisterSecret(stepConfig.ContainerRegistryUser)
+			log.RegisterSecret(stepConfig.ContainerRegistrySecret)
+			log.RegisterSecret(stepConfig.KubeToken)
+			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			telemetryData := telemetry.CustomData{}
--- a/cmd/mavenBuild_generated.go
+++ b/cmd/mavenBuild_generated.go
@ -39,7 +39,11 @@ supports ci friendly versioning by flattening the pom before installing.`,
 			startTime = time.Now()
 			log.SetStepName("mavenBuild")
 			log.SetVerbose(GeneralConfig.Verbose)
-			return PrepareConfig(cmd, &metadata, "mavenBuild", &stepConfig, config.OpenPiperFile)
+			err := PrepareConfig(cmd, &metadata, "mavenBuild", &stepConfig, config.OpenPiperFile)
+			if err != nil {
+				return err
+			}
+			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			telemetryData := telemetry.CustomData{}
--- a/cmd/mavenExecuteStaticCodeChecks_generated.go
+++ b/cmd/mavenExecuteStaticCodeChecks_generated.go
@ -49,7 +49,11 @@ For PMD the failure priority and the max allowed violations are configurable via
 			startTime = time.Now()
 			log.SetStepName("mavenExecuteStaticCodeChecks")
 			log.SetVerbose(GeneralConfig.Verbose)
-			return PrepareConfig(cmd, &metadata, "mavenExecuteStaticCodeChecks", &stepConfig, config.OpenPiperFile)
+			err := PrepareConfig(cmd, &metadata, "mavenExecuteStaticCodeChecks", &stepConfig, config.OpenPiperFile)
+			if err != nil {
+				return err
+			}
+			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			telemetryData := telemetry.CustomData{}
--- a/cmd/mavenExecute_generated.go
+++ b/cmd/mavenExecute_generated.go
@ -39,7 +39,11 @@ func MavenExecuteCommand() *cobra.Command {
 			startTime = time.Now()
 			log.SetStepName("mavenExecute")
 			log.SetVerbose(GeneralConfig.Verbose)
-			return PrepareConfig(cmd, &metadata, "mavenExecute", &stepConfig, config.OpenPiperFile)
+			err := PrepareConfig(cmd, &metadata, "mavenExecute", &stepConfig, config.OpenPiperFile)
+			if err != nil {
+				return err
+			}
+			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			telemetryData := telemetry.CustomData{}
--- a/cmd/mtaBuild_generated.go
+++ b/cmd/mtaBuild_generated.go
@ -69,7 +69,11 @@ func MtaBuildCommand() *cobra.Command {
 			startTime = time.Now()
 			log.SetStepName("mtaBuild")
 			log.SetVerbose(GeneralConfig.Verbose)
-			return PrepareConfig(cmd, &metadata, "mtaBuild", &stepConfig, config.OpenPiperFile)
+			err := PrepareConfig(cmd, &metadata, "mtaBuild", &stepConfig, config.OpenPiperFile)
+			if err != nil {
+				return err
+			}
+			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			telemetryData := telemetry.CustomData{}
--- a/cmd/nexusUpload_generated.go
+++ b/cmd/nexusUpload_generated.go
@ -57,7 +57,13 @@ If an image for mavenExecute is configured, and npm packages are to be published
 			startTime = time.Now()
 			log.SetStepName("nexusUpload")
 			log.SetVerbose(GeneralConfig.Verbose)
-			return PrepareConfig(cmd, &metadata, "nexusUpload", &stepConfig, config.OpenPiperFile)
+			err := PrepareConfig(cmd, &metadata, "nexusUpload", &stepConfig, config.OpenPiperFile)
+			if err != nil {
+				return err
+			}
+			log.RegisterSecret(stepConfig.User)
+			log.RegisterSecret(stepConfig.Password)
+			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			telemetryData := telemetry.CustomData{}
--- a/cmd/protecodeExecuteScan_generated.go
+++ b/cmd/protecodeExecuteScan_generated.go
@ -97,7 +97,13 @@ func ProtecodeExecuteScanCommand() *cobra.Command {
 			startTime = time.Now()
 			log.SetStepName("protecodeExecuteScan")
 			log.SetVerbose(GeneralConfig.Verbose)
-			return PrepareConfig(cmd, &metadata, "protecodeExecuteScan", &stepConfig, config.OpenPiperFile)
+			err := PrepareConfig(cmd, &metadata, "protecodeExecuteScan", &stepConfig, config.OpenPiperFile)
+			if err != nil {
+				return err
+			}
+			log.RegisterSecret(stepConfig.User)
+			log.RegisterSecret(stepConfig.Password)
+			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			telemetryData := telemetry.CustomData{}
--- a/cmd/sonarExecuteScan_generated.go
+++ b/cmd/sonarExecuteScan_generated.go
@ -49,7 +49,13 @@ func SonarExecuteScanCommand() *cobra.Command {
 			startTime = time.Now()
 			log.SetStepName("sonarExecuteScan")
 			log.SetVerbose(GeneralConfig.Verbose)
-			return PrepareConfig(cmd, &metadata, "sonarExecuteScan", &stepConfig, config.OpenPiperFile)
+			err := PrepareConfig(cmd, &metadata, "sonarExecuteScan", &stepConfig, config.OpenPiperFile)
+			if err != nil {
+				return err
+			}
+			log.RegisterSecret(stepConfig.Token)
+			log.RegisterSecret(stepConfig.GithubToken)
+			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			telemetryData := telemetry.CustomData{}
--- a/cmd/version_generated.go
+++ b/cmd/version_generated.go
@ -29,7 +29,11 @@ func VersionCommand() *cobra.Command {
 			startTime = time.Now()
 			log.SetStepName("version")
 			log.SetVerbose(GeneralConfig.Verbose)
-			return PrepareConfig(cmd, &metadata, "version", &stepConfig, config.OpenPiperFile)
+			err := PrepareConfig(cmd, &metadata, "version", &stepConfig, config.OpenPiperFile)
+			if err != nil {
+				return err
+			}
+			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			telemetryData := telemetry.CustomData{}
--- a/cmd/xsDeploy_generated.go
+++ b/cmd/xsDeploy_generated.go
@ -72,7 +72,13 @@ func XsDeployCommand() *cobra.Command {
 			startTime = time.Now()
 			log.SetStepName("xsDeploy")
 			log.SetVerbose(GeneralConfig.Verbose)
-			return PrepareConfig(cmd, &metadata, "xsDeploy", &stepConfig, config.OpenPiperFile)
+			err := PrepareConfig(cmd, &metadata, "xsDeploy", &stepConfig, config.OpenPiperFile)
+			if err != nil {
+				return err
+			}
+			log.RegisterSecret(stepConfig.User)
+			log.RegisterSecret(stepConfig.Password)
+			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			telemetryData := telemetry.CustomData{}
--- a/pkg/config/stepmeta.go
+++ b/pkg/config/stepmeta.go
@ -54,6 +54,7 @@ type StepParameters struct {
 	Default         interface{}         `json:"default,omitempty"`
 	Aliases         []Alias             `json:"aliases,omitempty"`
 	Conditions      []Condition         `json:"conditions,omitempty"`
+	Secret          bool                `json:"secret,omitempty"`
 }

 // ResourceReference defines the parameters of a resource reference
--- a/pkg/generator/helper/helper.go
+++ b/pkg/generator/helper/helper.go
@ -27,6 +27,7 @@ type stepInfo struct {
 	Short            string
 	StepFunc         string
 	StepName         string
+	StepSecrets      []string
 }

 //StepGoTemplate ...
@ -81,7 +82,13 @@ func {{.CobraCmdFuncName}}() *cobra.Command {
 			startTime = time.Now()
 			log.SetStepName("{{ .StepName }}")
 			log.SetVerbose({{if .ExportPrefix}}{{ .ExportPrefix }}.{{end}}GeneralConfig.Verbose)
-			return {{if .ExportPrefix}}{{ .ExportPrefix }}.{{end}}PrepareConfig(cmd, &metadata, "{{ .StepName }}", &stepConfig, config.OpenPiperFile)
+			err := {{if .ExportPrefix}}{{ .ExportPrefix }}.{{end}}PrepareConfig(cmd, &metadata, "{{ .StepName }}", &stepConfig, config.OpenPiperFile)
+			if err != nil {
+				return err
+			}
+			{{- range $key, $value := .StepSecrets }}
+			log.RegisterSecret(stepConfig.{{ $value | golangName  }}){{end}}
+			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			telemetryData := telemetry.CustomData{}
@ -309,10 +316,22 @@ func getStepInfo(stepData *config.StepData, osImport bool, exportPrefix string)
 			OSImport:         osImport,
 			OutputResources:  oRes,
 			ExportPrefix:     exportPrefix,
+			StepSecrets:      getSecretFields(stepData),
 		},
 		err
 }

+func getSecretFields(stepData *config.StepData) []string {
+	var secretFields []string
+
+	for _, parameter := range stepData.Spec.Inputs.Parameters {
+		if parameter.Secret {
+			secretFields = append(secretFields, parameter.Name)
+		}
+	}
+	return secretFields
+}
+
 func getOutputResourceDetails(stepData *config.StepData) ([]map[string]string, error) {
 	outputResources := []map[string]string{}

--- a/pkg/generator/helper/helper_test.go
+++ b/pkg/generator/helper/helper_test.go
@ -93,7 +93,7 @@ func TestProcessMetaFiles(t *testing.T) {
 		if err != nil {
 			t.Fatalf("failed reading %v", goldenFilePath)
 		}
-		assert.Equal(t, expected, files["cmd/testStep_generated.go"])
+		assert.Equal(t, string(expected), string(files["cmd/testStep_generated.go"]))
 		t.Log(string(files["cmd/testStep_generated.go"]))
 	})

@ -103,7 +103,7 @@ func TestProcessMetaFiles(t *testing.T) {
 		if err != nil {
 			t.Fatalf("failed reading %v", goldenFilePath)
 		}
-		assert.Equal(t, expected, files["cmd/testStep_generated_test.go"])
+		assert.Equal(t, string(expected), string(files["cmd/testStep_generated_test.go"]))
 	})

 	t.Run("custom step code", func(t *testing.T) {
@ -115,7 +115,7 @@ func TestProcessMetaFiles(t *testing.T) {
 		if err != nil {
 			t.Fatalf("failed reading %v", goldenFilePath)
 		}
-		assert.Equal(t, expected, files["cmd/testStep_generated.go"])
+		assert.Equal(t, string(expected), string(files["cmd/testStep_generated.go"]))
 		t.Log(string(files["cmd/testStep_generated.go"]))
 	})
 }
--- a/pkg/generator/helper/testdata/TestProcessMetaFiles/custom_step_code_generated.golden
+++ b/pkg/generator/helper/testdata/TestProcessMetaFiles/custom_step_code_generated.golden
@ -107,7 +107,11 @@ func TestStepCommand() *cobra.Command {
 			startTime = time.Now()
 			log.SetStepName("testStep")
 			log.SetVerbose(piperOsCmd.GeneralConfig.Verbose)
-			return piperOsCmd.PrepareConfig(cmd, &metadata, "testStep", &stepConfig, config.OpenPiperFile)
+			err := piperOsCmd.PrepareConfig(cmd, &metadata, "testStep", &stepConfig, config.OpenPiperFile)
+			if err != nil {
+				return err
+			}
+			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			telemetryData := telemetry.CustomData{}
--- a/pkg/generator/helper/testdata/TestProcessMetaFiles/step_code_generated.golden
+++ b/pkg/generator/helper/testdata/TestProcessMetaFiles/step_code_generated.golden
@ -106,7 +106,11 @@ func TestStepCommand() *cobra.Command {
 			startTime = time.Now()
 			log.SetStepName("testStep")
 			log.SetVerbose(GeneralConfig.Verbose)
-			return PrepareConfig(cmd, &metadata, "testStep", &stepConfig, config.OpenPiperFile)
+			err := PrepareConfig(cmd, &metadata, "testStep", &stepConfig, config.OpenPiperFile)
+			if err != nil {
+				return err
+			}
+			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			telemetryData := telemetry.CustomData{}
--- a/pkg/log/log.go
+++ b/pkg/log/log.go
@ -2,17 +2,42 @@ package log

 import (
 	"github.com/sirupsen/logrus"
+	"strings"
 )

+type RemoveSecretFormatterDecorator struct {
+	logrus.TextFormatter
+}
+
+func (formatter *RemoveSecretFormatterDecorator) Format(entry *logrus.Entry) (bytes []byte, err error) {
+	formattedMessage, err := formatter.TextFormatter.Format(entry)
+
+	if err != nil {
+		return nil, err
+	}
+
+	message := string(formattedMessage)
+
+	for _, secret := range secrets {
+		message = strings.Replace(message, secret, "****", -1)
+	}
+
+	return []byte(message), nil
+}
+
 // LibraryRepository that is passed into with -ldflags
 var LibraryRepository string
 var logger *logrus.Entry
+var secrets []string

 // Entry returns the logger entry or creates one if none is present.
 func Entry() *logrus.Entry {
 	if logger == nil {
 		logger = logrus.WithField("library", LibraryRepository)
 	}
+
+	logger.Logger.SetFormatter(&RemoveSecretFormatterDecorator{})
+
 	return logger
 }

@ -33,3 +58,9 @@ func SetStepName(stepName string) {
 func DeferExitHandler(handler func()) {
 	logrus.DeferExitHandler(handler)
 }
+
+func RegisterSecret(secret string) {
+	if len(secret) > 0 {
+		secrets = append(secrets, secret)
+	}
+}
--- a/pkg/log/log_test.go
+++ b/pkg/log/log_test.go
@ -0,0 +1,23 @@
+package log
+
+import (
+	"bytes"
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestSecrets(t *testing.T) {
+	t.Run("should log", func(t *testing.T) {
+		secret := "password"
+
+		var buffer bytes.Buffer
+		Entry().Logger.SetOutput(&buffer)
+		Entry().Infof("My secret is %s.", secret)
+		assert.Contains(t, buffer.String(), secret)
+
+		buffer.Reset()
+		RegisterSecret(secret)
+		Entry().Infof("My secret is %s.", secret)
+		assert.NotContains(t, buffer.String(), secret)
+	})
+}
--- a/resources/metadata/abapEnvironmentPullGitRepo.yaml
+++ b/resources/metadata/abapEnvironmentPullGitRepo.yaml
@ -24,6 +24,7 @@ spec:
        - STAGES
        - STEPS
        mandatory: true
+        secret: true
      - name: password
        type: string
        description: Password for either the Cloud Foundry API or the Communication Arrangement for SAP_COM_0510
@ -32,6 +33,7 @@ spec:
        - STAGES
        - STEPS
        mandatory: true
+        secret: true
      - name: repositoryName
        type: string
        description: Specifies the name of the Repository (Software Component) on the SAP Cloud Platform ABAP Environment system
--- a/resources/metadata/checkmarx.yaml
+++ b/resources/metadata/checkmarx.yaml
@ -82,6 +82,7 @@ spec:
      - PARAMETERS
      - STAGES
      - STEPS
+      secret: true
    - name: preset
      type: string
      description: The preset to use for scanning, if not set explicitly the step will attempt to look up the project's setting based on the availability of `checkmarxCredentialsId`
@ -155,6 +156,7 @@ spec:
      - PARAMETERS
      - STAGES
      - STEPS
+      secret: true
    - name: vulnerabilityThresholdEnabled
      type: bool
      description: Whether the thresholds are enabled or not. If enabled the build will be set to `vulnerabilityThresholdResult` in case a specific threshold value is exceeded
--- a/resources/metadata/cloudFoundryCreateServiceKey.yaml
+++ b/resources/metadata/cloudFoundryCreateServiceKey.yaml
@ -28,6 +28,7 @@ spec:
        - PARAMETERS
        - STAGES
        - STEPS
+        secret: true
        mandatory: true
      - name: password
        type: string
@ -37,6 +38,7 @@ spec:
        - STAGES
        - STEPS
        mandatory: true
+        secret: true
      - name: cfOrg
        type: string
        description: CF org
--- a/resources/metadata/cloudFoundryDeleteService.yaml
+++ b/resources/metadata/cloudFoundryDeleteService.yaml
@ -28,6 +28,7 @@ spec:
        - STAGES
        - STEPS
        mandatory: true
+        secret: true
      - name: password
        type: string
        description: User Password for CF User
@ -36,6 +37,7 @@ spec:
        - STAGES
        - STEPS
        mandatory: true
+        secret: true
      - name: cfOrg
        type: string
        description: CF org
--- a/resources/metadata/detect.yaml
+++ b/resources/metadata/detect.yaml
@ -21,6 +21,7 @@ spec:
        description: Api token to be used for connectivity with Synopsis Detect server.
        type: string
        mandatory: true
+        secret: true
        scope:
        - PARAMETERS
        - STAGES
--- a/resources/metadata/githubcreatepr.yaml
+++ b/resources/metadata/githubcreatepr.yaml
@ -106,6 +106,7 @@ spec:
      - STEPS
      type: string
      mandatory: true
+      secret: true
    - name: labels
      description: Labels to be added to the pull request.
      scope:
--- a/resources/metadata/githubrelease.yaml
+++ b/resources/metadata/githubrelease.yaml
@ -132,6 +132,7 @@ spec:
        - STEPS
        type: string
        mandatory: true
+        secret: true
      - name: uploadUrl
        aliases:
          - name: githubUploadUrl
--- a/resources/metadata/kubernetesdeploy.yaml
+++ b/resources/metadata/kubernetesdeploy.yaml
@ -79,6 +79,7 @@ spec:
          - PARAMETERS
          - STAGES
          - STEPS
+        secret: true
      - name: containerRegistryUrl
        aliases:
          - name: dockerRegistryUrl
@ -97,6 +98,7 @@ spec:
          - PARAMETERS
          - STAGES
          - STEPS
+        secret: true
      - name: containerRegistrySecret
        description: Name of the container registry secret used for pulling containers from the registry.
        type: string
@ -105,6 +107,7 @@ spec:
          - STAGES
          - STEPS
        default: regsecret
+        secret: true
      - name: createDockerRegistrySecret
        type: bool
        description: Toggle to turn on Regsecret creation with a \"deployTool:kubectl\" deployment.
@ -186,6 +189,7 @@ spec:
          - PARAMETERS
          - STAGES
          - STEPS
+        secret: true
      - name: namespace
        aliases:
          - name: helmDeploymentNamespace
--- a/resources/metadata/nexusUpload.yaml
+++ b/resources/metadata/nexusUpload.yaml
@ -115,11 +115,13 @@ spec:
        description: Username for accessing the Nexus endpoint.
        scope:
        - PARAMETERS
+        secret: true
      - name: password
        type: string
        description: Password for accessing the Nexus endpoint.
        scope:
        - PARAMETERS
+        secret: true
  containers:
    # To allow both maven and mta we require an image that contains both tools. If the user configures an image for mavenExecute that also needs to contain both.
    - name: mvn-npm
--- a/resources/metadata/protecode.yaml
+++ b/resources/metadata/protecode.yaml
@ -144,6 +144,7 @@ spec:
        - PARAMETERS
        - STAGES
        - STEPS
+      secret: true
    - name: password
      type: string
      description: Password which is used for the user
@ -152,6 +153,7 @@ spec:
        - PARAMETERS
        - STAGES
        - STEPS
+      secret: true
    - name: artifactVersion
      type: string
      description: The version of the artifact to allow identification in protecode backend
--- a/resources/metadata/sonar.yaml
+++ b/resources/metadata/sonar.yaml
@ -27,6 +27,7 @@ spec:
        description: Token used to authenticate with the Sonar Server.
        scope:
          - PARAMETERS
+        secret: true
        aliases:
          - name: sonarToken
      - name: organization
@ -133,6 +134,7 @@ spec:
        description: "Pull-Request only: Token for Github to set status on the Pull-Request."
        scope:
          - PARAMETERS
+        secret: true
      - name: disableInlineComments
        type: bool
        description: "Pull-Request only: Disables the pull-request decoration with inline comments. DEPRECATED: only supported in SonarQube < 7.2"
--- a/resources/metadata/versioning.yaml
+++ b/resources/metadata/versioning.yaml
@ -154,6 +154,7 @@ spec:
        - PARAMETERS
        - STAGES
        - STEPS
+        secret: true
      - name: projectSettingsFile
        aliases:
          - name: maven/projectSettingsFile
@ -179,6 +180,7 @@ spec:
        - PARAMETERS
        - STAGES
        - STEPS
+        secret: true
      - name: versioningTemplate
        type: string
        description: "DEPRECATED: Defines the template for the automatic version which will be created"
--- a/resources/metadata/xsDeploy.yaml
+++ b/resources/metadata/xsDeploy.yaml
@ -86,6 +86,7 @@ spec:
        - PARAMETERS
        - STAGES
        - STEPS
+        secret: true
        mandatory: true
      - name: password
        type: string
@ -94,6 +95,7 @@ spec:
        - PARAMETERS
        - STAGES
        - STEPS
+        secret: true
        mandatory: true
      - name: org
        type: string