trapdoor monkeypatches ENV so any secret values are available when asked for by name (i.e. ENV['SOME_SECRET']) but are hidden when requested in bulk (i.e. ENV.to_h, ENV.inspect, iterators). This was designed to be a drop in replacement for codebases that use ENV to hold secrets but also use developer tools that may cause these values to be accidentally logged.
- Add to your Gemfile and install with bundle, or
gem install trapdoor require 'trapdoor'
Let's start by inspecting the environment in the repl. We can see SECRET_API_TOKEN and its value.
> ENV
=> {... "SECRET_API_TOKEN"=>"987tfghjo0987yt"}
After loading trapdoor, let's tell it to hide this specific value then inspect the environment again.
> ENV.hide "SECRET_API_TOKEN"
> ENV
=> {... "SECRET_API_TOKEN"=>"**REDACTED**"}
But we can see this value can still be accessed just like before:
> ENV['SECRET_API_TOKEN']
=> "987tfghjo0987yt"
Additionally, we can call ENV.start_smuggling to start redacting all new environment variables. This can be useful if you insert sensitive variables into the environment afterwards so that any non-pre loaded values are redacted.