[CWS] add jwt as default sensitive word

safchain · safchain · commit a2592ced368e · 2026-04-08T17:39:21.000+02:00
diff --git a/pkg/security/utils/scrubber.go b/pkg/security/utils/scrubber.go
@@ -16,7 +16,7 @@ import (
 )
 
 var (
-	additionals = []string{"*token*"}
+	additionals = []string{"*token*", "*jwt*"}
 )
 
 // Scrubber is a struct that holds the proc scrubber and the regex scrubber
diff --git a/pkg/security/utils/scrubber_test.go b/pkg/security/utils/scrubber_test.go
@@ -13,21 +13,45 @@ import (
 )
 
 func TestScrubber(t *testing.T) {
-	t.Run("cmdline", func(t *testing.T) {
-		scrubber, err := NewScrubber([]string{"token"}, []string{"t[a-z]*n", "t.st"})
+	t.Run("cmdline-default", func(t *testing.T) {
+		scrubber, err := NewScrubber(nil, nil)
 		assert.NoError(t, err)
 		assert.NotNil(t, scrubber)
 
-		scrubbed := scrubber.ScrubCommand([]string{"--token 1234567890 --test 1234567890"})
+		scrubbed := scrubber.ScrubCommand([]string{"cmd --secret 1234567890 --token 1234567890 --jwt abc"})
+		assert.Equal(t, []string{"cmd", "--secret", "********", "--token", "********", "--jwt", "********"}, scrubbed)
+
+		scrubbed = scrubber.ScrubCommand([]string{"cmd", "--secret", "1234567890", "--token", "1234567890", "--jwt", "abc"})
+		assert.Equal(t, []string{"cmd", "--secret", "********", "--token", "********", "--jwt", "********"}, scrubbed)
+	})
+
+	t.Run("cmdline-custom-word", func(t *testing.T) {
+		scrubber, err := NewScrubber([]string{"custom"}, nil)
+		assert.NoError(t, err)
+		assert.NotNil(t, scrubber)
+
+		scrubbed := scrubber.ScrubCommand([]string{"cmd --secret 1234567890 --token 1234567890 --custom abc"})
+		assert.Equal(t, []string{"cmd", "--secret", "********", "--token", "********", "--custom", "********"}, scrubbed)
+
+		scrubbed = scrubber.ScrubCommand([]string{"cmd", "--secret", "1234567890", "--token", "1234567890", "--custom", "abc"})
+		assert.Equal(t, []string{"cmd", "--secret", "********", "--token", "********", "--custom", "********"}, scrubbed)
+	})
+
+	t.Run("cmdline-custom-regexp", func(t *testing.T) {
+		scrubber, err := NewScrubber(nil, []string{"a[a-z]*c", "t.st"})
+		assert.NoError(t, err)
+		assert.NotNil(t, scrubber)
+
+		scrubbed := scrubber.ScrubCommand([]string{"--abc 1234567890 --test 1234567890"})
 		assert.Equal(t, []string{"--***** 1234567890 --***** 1234567890"}, scrubbed)
 	})
 
-	t.Run("line", func(t *testing.T) {
-		scrubber, err := NewScrubber([]string{"token"}, []string{"t[a-z]*n", "t.st"})
+	t.Run("line-custom-regexp", func(t *testing.T) {
+		scrubber, err := NewScrubber(nil, []string{"a[a-z]*c", "t.st"})
 		assert.NoError(t, err)
 		assert.NotNil(t, scrubber)
 
-		scrubbed := scrubber.ScrubLine("token 1234567890 test 1234567890")
+		scrubbed := scrubber.ScrubLine("abc 1234567890 test 1234567890")
 		assert.Equal(t, "***** 1234567890 ***** 1234567890", scrubbed)
 	})
 }

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ import (`
`16`	`16`	`)`
`17`	`17`
`18`	`18`	`var (`
`19`		`- additionals = []string{"token"}`
	`19`	`+ additionals = []string{"token", "jwt"}`
`20`	`20`	`)`
`21`	`21`
`22`	`22`	`// Scrubber is a struct that holds the proc scrubber and the regex scrubber`