Skip to content

added secret scrubbing reference #109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
+91 −0
Draft

added secret scrubbing reference #109

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,7 @@
},

"platform/secrets",
"platform/dynamic-secret-scrubbing",
"platform/data-storage",
"platform/variables",
{
Expand Down
78 changes: 78 additions & 0 deletions platform/dynamic-secret-scrubbing.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
---
title: 'Dynamic Secret Scrubbing'
sidebarTitle: 'Secret Scrubbing'
description: 'Automatically scrub sensitive data from check results'
---

Dynamic secret scrubbing automatically removes sensitive values from logs, traces, screenshots with text, and report trees. Set environment variables with the `CHECKLY_SECRET_*` prefix and the runtime will scrub those values from all output.

## How it works

Assign values to `process.env.CHECKLY_SECRET_*` in your check code:

```javascript
// Direct assignment
process.env.CHECKLY_SECRET_API_KEY = 'your-secret-value'

// From external sources
process.env.CHECKLY_SECRET_PASSWORD = await getFromAzureKeyVault('db-password')
process.env.CHECKLY_SECRET_TOKEN = await fetchFromVault('auth-token')
```

The runtime automatically detects these variables and scrubs their values from:
- Check logs
- Trace files
- Screenshots containing text
- Report trees

## Supported patterns

```javascript
// Bracket notation
process.env['CHECKLY_SECRET_DATABASE_URL'] = connectionString

// Direct assignment
process.env.CHECKLY_SECRET_AUTH_TOKEN = token

// Dynamic retrieval
process.env.CHECKLY_SECRET_PAYMENT_KEY = await vault.get('payment-api-key')
```

## Limitations

- **Check types**: Only works in browser checks and multistep checks
- **Value format**: Must be a string (empty strings, `null`, `undefined`, numbers, objects, and arrays are ignored)
- **Size limit**: Values cannot exceed 128KB (~128,000 characters)

```javascript
// This works ✅
const apiKey = process.env.CHECKLY_SECRET_API_KEY

// This doesn't work ❌
const key = 'CHECKLY_SECRET_' + 'API_KEY'
const apiKey = process.env[key]
```

## Example usage

```javascript
import { test } from '@playwright/test'

test('API call with scrubbed credentials', async ({ page }) => {
// Set secrets at runtime
process.env.CHECKLY_SECRET_API_TOKEN = await getTokenFromVault()
process.env.CHECKLY_SECRET_USER_ID = await getCurrentUserId()

// Use in your test - values will be scrubbed from results
await page.request.post('/api/data', {
headers: {
'Authorization': `Bearer ${process.env.CHECKLY_SECRET_API_TOKEN}`,
'X-User-ID': process.env.CHECKLY_SECRET_USER_ID
}
})
})
```

## Runtime compatibility

This feature is available from runtime `2024.09` onwards. For private locations running older agent versions, contact support for access.
12 changes: 12 additions & 0 deletions platform/secrets.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,18 @@ Secrets represent the foundation of secure monitoring practices. They enable you

The power of Secrets lies in making security invisible to your monitoring logic—your Checks work exactly the same whether they're using public endpoints or accessing the most sensitive parts of your application, but the security model ensures that sensitive information never leaves the protected environment.

## Alternative: Dynamic Secret Detection
Copy link

@shiini2 shiini2 Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Am not sure if we're already mentioning this in the docs, but I remember a discussion that secret scrubbing in general is best effort and not a 100% certainty that things will always in all cases be scrubbed, especially while using more obscure/less used PW patterns for example. Not sure if we want to mention it


For browser checks and multistep checks, you can also use dynamic secret detection. This approach allows you to retrieve secrets at runtime (from external vaults like Azure Key Vault, AWS Secrets Manager, etc.) and have them automatically scrubbed from logs and traces.

```javascript
// Example: Retrieve from external vault at runtime
process.env.CHECKLY_SECRET_API_KEY = await getFromAzureKeyVault('api-key')
process.env.CHECKLY_SECRET_TOKEN = await fetchFromAWS('auth-token')
```

This is particularly useful for organizations that prefer not to store secrets in Checkly and want to maintain their existing secret management infrastructure. [Learn more about dynamic secret scrubbing](/platform/dynamic-secret-scrubbing).

### Security and Usability Balance

Use dedicated test users, test cards etc. These test users should have minimal privileges in your app. Do not use your admin or root user. Make sure you can easily disable or block these users without recourse.
Expand Down