Feature request description
datadog-ci trace -- <cmd> always reports the full command line — including every argument — in the span's command field, and uses that same string as the default span name.
When the wrapped command takes secrets as arguments (auth tokens, passwords, signed URLs, API keys), those values are sent to Datadog and become visible in the CI Visibility UI and in anyone's access to the trace. Example:
datadog-ci trace -- ./deploy.sh --token "$SECRET"
# reported command/name: "./deploy.sh --token <SECRET>"
There is currently no way to trace a command while keeping its arguments out of the reported span.
Solution
Add a --no-capture boolean flag (default false) to the trace command. When set, only the executable name is reported in the command field instead of the full command line. The child process is still launched with all of its arguments — only the reported span is trimmed. When --name is not provided, the span name also falls back to the executable name so arguments don't leak through the default name; an explicit --name is still honored.
datadog-ci trace --no-capture -- ./deploy.sh --token "$SECRET"
# reported command/name: "./deploy.sh"
Additional context
Alternatives considered: redacting via a pattern/denylist of argument names (more flexible but fragile and hard to get right), or env-var opt-in. A simple all-or-nothing --no-capture flag covers the common "these args are sensitive, don't record them" case with no room for partial leaks.
Scope note: --no-capture only affects the reported command/name. User-supplied --tags, --measures, and DD_TAGS are still reported as-is, since the user controls those explicitly.
Feature request description
datadog-ci trace -- <cmd>always reports the full command line — including every argument — in the span'scommandfield, and uses that same string as the default spanname.When the wrapped command takes secrets as arguments (auth tokens, passwords, signed URLs, API keys), those values are sent to Datadog and become visible in the CI Visibility UI and in anyone's access to the trace. Example:
There is currently no way to trace a command while keeping its arguments out of the reported span.
Solution
Add a
--no-captureboolean flag (defaultfalse) to thetracecommand. When set, only the executable name is reported in thecommandfield instead of the full command line. The child process is still launched with all of its arguments — only the reported span is trimmed. When--nameis not provided, the span name also falls back to the executable name so arguments don't leak through the default name; an explicit--nameis still honored.Additional context
Alternatives considered: redacting via a pattern/denylist of argument names (more flexible but fragile and hard to get right), or env-var opt-in. A simple all-or-nothing
--no-captureflag covers the common "these args are sensitive, don't record them" case with no room for partial leaks.Scope note:
--no-captureonly affects the reportedcommand/name. User-supplied--tags,--measures, andDD_TAGSare still reported as-is, since the user controls those explicitly.