Sensitive Environment Variables contained in logs and CLI

[nlawrencenerd13]

When trying to access private dbt packages through the packages.yml file, I realize that if you use something like a personal access token as an environment variable, it is logged to both the CLI and the logs. Is there a specific naming convention that must be used to scrub environment variables from the logs or is this a potential security issue that has been overlooked?

[nlawrencenerd13]

I figured it out. For whatever reason, I missed it in the documentation but you must prefix sensitive variables with the prefix DBT_ENV_SECRET and they will be scrubbed from any logs. Would be cool if it could be expanded potentially to something like PASSWORD or API_KEY or some of the most common sensitive environment variables.