As part of my talk last night to St. Louis Serverless about Pulumi, I covered Config, particularly the Secrets part of it. I was amazed, and thoroughly impressed with how hard it was to leak a secret out. I was using Typescript, so of course I showed exporting the secret as an Output and

console.log()

. Then I tried using

someSecret.substring(0)

and

someSecret.substring(0, someSecret.length)

and it wouldn’t leak. Then I tried outputting

someSecret.concat('zzz')

and was amazed to see

[secret]zzz

output. Well done to whoever wrote the interceptor(s) to catch leaking secrets and help prevent their escaping!

yeah I have to say it's a pretty neat feature, even if you just print the same string as the secret it covers it