GIT: For http/https cloned repos only: git push failure shows password in clear text

Question

We are using https to clone a repo as following through Jenkins build:

git clone https://${repo_username}:${repo_password}@internalgit.com/scm/project/repo.git -b ${branch_name} $tmp

In above command: ${repo_username} & ${repo_password} are Jenkins variables passed as secrets so they are not logged as clear text.

However, this adds the user credentials to the git remote URL and in case of any push failure it shows the credentials in clear text in the following error:

[ERROR] To https://user:password@internalgit.com/scm/project/repo.git
[ERROR]  ! [remote rejected] master -> master (pre-receive hook declined)
[ERROR] error: failed to push some refs to 'https://user:password@internalgit.com/scm/project/repo.git'

There can be a number of valid reasons for a push failure, however, printing credentials on screen is not acceptable.

Is there a way either to:

• mask the above error message.
• updating the remote URL to lose the password, without the password once again being prompted during push.

Following work arounds work but NOT acceptable in our use case:

• Store password in credential cache (using credential.helper)
• Using ssh clones instead of https.

Answer 1

Assuming that output is visible but input is not: git clone https://${repo_username}:${repo_password}@internalgit.com/scm/project/repo.git -b ${branch_name} $tmp | sed "s/${repo_password}/<redacted>/g" should do what you want.

I misread the question; for this answer to work you'd have to run it on each push (i.e. git push 2>&1 | sed "s/${repo_password}/<redacted>/g". I also missed that git prints this to stderr, so unless you want to use process substition, it will be difficult to redirect output.

You should escape the password in case it contains any special regex characters (as otherwise sed may match more or less than you mean too). This answer has some ready solutions for escaping strings to use with sed.