Summary
Flowcept persists the entire YAML settings into MongoDB (Workflows collection) when project.enrich_messages=true. This includes sensitive fields (e.g., passwords).
Immediate workaround
Setting project.enrich_messages=false prevents the settings from being stored.
Proposed approach
Implement a redaction step before persisting settings:
- Maintain a static list of sensitive keys (e.g., in
configs.py) such as:
password, passwd, secret, token, api_key, key, credentials, etc.
- Optionally support a configurable denylist/allowlist in settings.
Summary
Flowcept persists the entire YAML settings into MongoDB (Workflows collection) when project.enrich_messages=true. This includes sensitive fields (e.g., passwords).
Immediate workaround
Setting
project.enrich_messages=falseprevents the settings from being stored.Proposed approach
Implement a redaction step before persisting settings:
configs.py) such as:password,passwd,secret,token,api_key,key,credentials, etc.