fix(otel): harden tracing to prevent sensitive data leakage#97
Merged
fix(otel): harden tracing to prevent sensitive data leakage#97
Conversation
Demote GPG stderr and key-count metadata to trace/debug level so fingerprints, key IDs, and email addresses are not exported via OTel spans. Add SECURITY comments to shim.rs (tracing must stay uninitialized) and main.rs (do not add process resource detectors).
Forward port 16686 for Jaeger UI access and disable automatic port forwarding to avoid exposing unintended services.
This comment has been minimized.
This comment has been minimized.
…customization Replace forwardPorts with portsAttributes for fine-grained control, switch autoForwardPortsSource to process, and add a generate script that customizes the Jaeger browser tab title with the project name from Cargo.toml.
Contributor
Code Metrics Report
Code coverage of files in pull request scope (93.0%)
Reported by octocov |
Merged
naa0yama
pushed a commit
that referenced
this pull request
Mar 16, 2026
<!-- Release notes generated using configuration in .github/release.yml at main --> ## What's Changed ### Documentation 🗒️ * refactor(skills): apply boilerplate-rust template to skills hierarchy by @naa0yama in #91 ### Dependency Updates 📦 * chore(deps): update taiki-e/install-action action to v2.68.1 by @renovate[bot] in #45 * chore(deps): update taiki-e/install-action action to v2.68.2 by @renovate[bot] in #47 * chore(deps): update dependency usage to v2.17.4 by @renovate[bot] in #48 * chore(deps): update taiki-e/install-action action to v2.68.3 by @renovate[bot] in #50 * chore(deps): update taiki-e/install-action action to v2.68.4 by @renovate[bot] in #51 * chore(deps): update github/codeql-action action to v4.32.4 by @renovate[bot] in #52 * chore(deps): update taiki-e/install-action action to v2.68.5 by @renovate[bot] in #53 * chore(deps): update taiki-e/install-action action to v2.68.6 by @renovate[bot] in #54 * chore(deps): update taiki-e/install-action action to v2.68.7 by @renovate[bot] in #55 * chore(deps): update actions/attest-build-provenance action to v3 by @renovate[bot] in #13 * chore(deps): update taiki-e/install-action action to v2.68.8 by @renovate[bot] in #58 * chore(deps): update jdx/mise-action digest to e79ddf6 by @renovate[bot] in #59 * chore(deps): update rust crate tempfile to v3.26.0 by @renovate[bot] in #61 * chore(deps): update taiki-e/install-action action to v2.68.9 by @renovate[bot] in #65 * chore(deps): update dependency usage to v2.18.1 by @renovate[bot] in #64 * chore(deps): update songmu/tagpr action to v1.17.1 by @renovate[bot] in #66 * chore(deps): update taiki-e/install-action action to v2.68.10 by @renovate[bot] in #68 * chore(deps): update taiki-e/install-action action to v2.68.11 by @renovate[bot] in #69 * chore(deps): update taiki-e/install-action action to v2.68.12 by @renovate[bot] in #70 * chore(deps): update all action update by @renovate[bot] in #71 * chore(deps): update taiki-e/install-action action to v2.68.14 by @renovate[bot] in #72 * chore(deps): update taiki-e/install-action action to v2.68.15 by @renovate[bot] in #73 * chore(deps): update actions-rust-lang/setup-rust-toolchain action to v1.15.3 by @renovate[bot] in #74 * chore(deps): update dependency usage to v2.18.2 by @renovate[bot] in #75 * chore(deps): update taiki-e/install-action action to v2.68.16 by @renovate[bot] in #76 * chore(deps): update github/codeql-action action to v4.32.5 by @renovate[bot] in #78 * chore(deps): update taiki-e/install-action action to v2.68.17 by @renovate[bot] in #79 * chore(deps): update dependency github:rust-secure-code/cargo-auditable to v0.7.3 by @renovate[bot] in #80 * chore(deps): update taiki-e/install-action action to v2.68.18 by @renovate[bot] in #81 * chore(deps): update rust docker tag to v1.93.1 by @renovate[bot] in #82 * chore(deps): update taiki-e/install-action action to v2.68.19 by @renovate[bot] in #85 * chore(deps): update github/codeql-action action to v4.32.6 by @renovate[bot] in #86 * chore(deps): update taiki-e/install-action action to v2.68.20 by @renovate[bot] in #87 * chore(deps): update taiki-e/install-action action to v2.68.21 by @renovate[bot] in #88 * chore(deps): update taiki-e/install-action action to v2.68.22 by @renovate[bot] in #89 * chore(deps): update taiki-e/install-action action to v2.68.23 by @renovate[bot] in #90 * chore(deps): update dependency github:rust-secure-code/cargo-auditable to v0.7.4 by @renovate[bot] in #83 * chore(deps): update dependency aqua:ast-grep/ast-grep to v0.41.0 by @renovate[bot] in #57 * chore(deps): update dependency dprint to v0.52.0 by @renovate[bot] in #67 * chore(deps): update all action update (major) by @renovate[bot] in #60 * chore(deps): update all action update by @renovate[bot] in #94 * chore(deps): update taiki-e/install-action action to v2.68.25 by @renovate[bot] in #95 * chore(deps): update zizmorcore/zizmor-action action to v0.5.2 by @renovate[bot] in #96 ### Other Changes * chore: backport-2 by @naa0yama in #56 * feat(deps): cargo target cleanup by @naa0yama in #62 * chore: claude skills update by @naa0yama in #63 * Change command to postVersionCommand in .tagpr by @naa0yama in #77 * Update PATH export logic in Dockerfile by @naa0yama in #84 * Update postStartCommand.sh by @naa0yama in #92 * Update initializeCommand.sh by @naa0yama in #93 * fix(otel): harden tracing to prevent sensitive data leakage by @naa0yama in #97 * fix(ci): replace softprops/action-gh-release with gh CLI by @naa0yama in #98 * Update release.yml by @naa0yama in #99 **Full Changelog**: v0.3.0...tagpr-from-v0.3.0 --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
naa0yama
pushed a commit
that referenced
this pull request
Mar 16, 2026
<!-- Release notes generated using configuration in .github/release.yml at main --> ## What's Changed ### Documentation 🗒️ * refactor(skills): apply boilerplate-rust template to skills hierarchy by @naa0yama in #91 ### Dependency Updates 📦 * chore(deps): update rust crate tempfile to v3.26.0 by @renovate[bot] in #61 ### Development Environment 🔧 * chore(deps): update taiki-e/install-action action to v2.68.1 by @renovate[bot] in #45 * chore(deps): update taiki-e/install-action action to v2.68.2 by @renovate[bot] in #47 * chore(deps): update dependency usage to v2.17.4 by @renovate[bot] in #48 * chore(deps): update taiki-e/install-action action to v2.68.3 by @renovate[bot] in #50 * chore(deps): update taiki-e/install-action action to v2.68.4 by @renovate[bot] in #51 * chore(deps): update github/codeql-action action to v4.32.4 by @renovate[bot] in #52 * chore(deps): update taiki-e/install-action action to v2.68.5 by @renovate[bot] in #53 * chore(deps): update taiki-e/install-action action to v2.68.6 by @renovate[bot] in #54 * chore(deps): update taiki-e/install-action action to v2.68.7 by @renovate[bot] in #55 * chore: backport-2 by @naa0yama in #56 * chore(deps): update actions/attest-build-provenance action to v3 by @renovate[bot] in #13 * chore(deps): update taiki-e/install-action action to v2.68.8 by @renovate[bot] in #58 * chore(deps): update jdx/mise-action digest to e79ddf6 by @renovate[bot] in #59 * feat(deps): cargo target cleanup by @naa0yama in #62 * chore(deps): update taiki-e/install-action action to v2.68.9 by @renovate[bot] in #65 * chore(deps): update dependency usage to v2.18.1 by @renovate[bot] in #64 * chore(deps): update songmu/tagpr action to v1.17.1 by @renovate[bot] in #66 * chore(deps): update taiki-e/install-action action to v2.68.10 by @renovate[bot] in #68 * chore(deps): update taiki-e/install-action action to v2.68.11 by @renovate[bot] in #69 * chore(deps): update taiki-e/install-action action to v2.68.12 by @renovate[bot] in #70 * chore(deps): update all action update by @renovate[bot] in #71 * chore(deps): update taiki-e/install-action action to v2.68.14 by @renovate[bot] in #72 * chore(deps): update taiki-e/install-action action to v2.68.15 by @renovate[bot] in #73 * chore(deps): update actions-rust-lang/setup-rust-toolchain action to v1.15.3 by @renovate[bot] in #74 * chore(deps): update dependency usage to v2.18.2 by @renovate[bot] in #75 * chore(deps): update taiki-e/install-action action to v2.68.16 by @renovate[bot] in #76 * chore(deps): update github/codeql-action action to v4.32.5 by @renovate[bot] in #78 * chore(deps): update taiki-e/install-action action to v2.68.17 by @renovate[bot] in #79 * chore(deps): update dependency github:rust-secure-code/cargo-auditable to v0.7.3 by @renovate[bot] in #80 * chore(deps): update taiki-e/install-action action to v2.68.18 by @renovate[bot] in #81 * chore(deps): update rust docker tag to v1.93.1 by @renovate[bot] in #82 * chore(deps): update taiki-e/install-action action to v2.68.19 by @renovate[bot] in #85 * Update PATH export logic in Dockerfile by @naa0yama in #84 * chore(deps): update github/codeql-action action to v4.32.6 by @renovate[bot] in #86 * chore(deps): update taiki-e/install-action action to v2.68.20 by @renovate[bot] in #87 * chore(deps): update taiki-e/install-action action to v2.68.21 by @renovate[bot] in #88 * chore(deps): update taiki-e/install-action action to v2.68.22 by @renovate[bot] in #89 * chore(deps): update taiki-e/install-action action to v2.68.23 by @renovate[bot] in #90 * chore(deps): update dependency github:rust-secure-code/cargo-auditable to v0.7.4 by @renovate[bot] in #83 * chore(deps): update dependency aqua:ast-grep/ast-grep to v0.41.0 by @renovate[bot] in #57 * chore(deps): update dependency dprint to v0.52.0 by @renovate[bot] in #67 * chore(deps): update all action update (major) by @renovate[bot] in #60 * chore(deps): update all action update by @renovate[bot] in #94 * chore(deps): update taiki-e/install-action action to v2.68.25 by @renovate[bot] in #95 * chore(deps): update zizmorcore/zizmor-action action to v0.5.2 by @renovate[bot] in #96 * fix(ci): fix release build and changelog label categorisation by @naa0yama in #100 * fix(ci): allow tagpr workflow to run on workflow_dispatch by @naa0yama in #102 * fix(ci): upload assets to tagpr-created release instead of creating a new one by @naa0yama in #104 ### Other Changes * chore: claude skills update by @naa0yama in #63 * Change command to postVersionCommand in .tagpr by @naa0yama in #77 * Update postStartCommand.sh by @naa0yama in #92 * Update initializeCommand.sh by @naa0yama in #93 * fix(otel): harden tracing to prevent sensitive data leakage by @naa0yama in #97 * fix(ci): replace softprops/action-gh-release with gh CLI by @naa0yama in #98 * Update release.yml by @naa0yama in #99 **Full Changelog**: v0.3.0...tagpr-from-v0.3.0 --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
概要
traceに引き下げ、フィンガープリント・鍵 ID・メールアドレスが OTel スパン経由で漏洩するのを防止infoからdebugに変更し、デフォルト設定での不要な情報公開を抑制shim.rsにトレーシング未初期化の理由とargsログの安全性に関するセキュリティコメントを追加main.rsの OTel 設定にprocess.command_args/process.environmentリソース属性を追加してはならない旨のコメントを追加forwardPortsをportsAttributes/otherPortsAttributesに置換し、autoForwardPortsSourceをprocessに変更postStartCommand.shから Jaeger のバックグラウンド実行(&)を削除generate-jaeger-ui-config.sh+jaeger-ui.js)テスト計画
mise run test— 全 138 テスト通過mise run pre-commit— fmt, clippy:strict, ast-grep 通過RUST_LOG=infoで機密情報が出力されないことを手動確認RUST_LOG=traceで GPG stderr が trace レベルでのみ出力されることを確認Code Metrics Report
Code coverage of files in pull request scope (93.0%)
Reported by octocov