Custom Secrets Masking Patterns

January 15, 2026 · 2 min read

Founder @ Cloud Posse

Provably safe secrets masking with custom patterns, comprehensive output coverage, and configurable replacement strings.

Why This Matters

Safe secrets management requires provably complete masking - if even one output channel bypasses the masking layer, secrets can leak. This release establishes the foundation for comprehensive secrets management by:

Ensuring all output channels route through masking - terraform output, shell commands, logs, auth commands, help text, and error messages
Enabling custom patterns - extend built-in patterns with organization-specific formats
Providing configurable replacement - customize masked output for compliance requirements

What Changed

Comprehensive Output Coverage

All CLI output now routes through the masking layer:

Terraform/Helmfile command output (stdout/stderr)
Shell command execution
Logger output
Auth command displays
Documentation rendering
Error messages and help text

Custom Pattern Configuration

Define patterns in atmos.yaml to mask organization-specific secrets:

settings:
  terminal:
    mask:
      enabled: true
      replacement: "[REDACTED]"
      patterns:
        - 'demo-key-[A-Za-z0-9]{16}'
        - 'internal-[a-f0-9]{32}'
        - 'tkn_(live|test)_[a-zA-Z0-9]{24}'
      literals:
        - "super-secret-demo-value"
        - "my-api-key-12345"

Built-in Protection

Atmos includes 120+ patterns from the Gitleaks library covering:

AWS keys and session tokens
GitHub/GitLab tokens
API keys and passwords
JWT tokens and private keys

Try It Out

See the secrets-masking example for a complete demo.

Get Involved

Open an issue for feature requests
Join our Slack community for discussions

Why This Matters​

What Changed​

Comprehensive Output Coverage​

Custom Pattern Configuration​

Built-in Protection​

Try It Out​

Get Involved​