we were having a discussion whether it makes sense to implement a password filter for Ansible commands running via remote execution. In the end, you can see all reports as plain text in Foreman. We came to the conclusion that it is a security glitch, but it would be hard to capture all kind of passwords from arbitrary Ansible code.
Any opinions on adding a feature that would try to filter passwords either as Ansible callback plugin or as filter for reports?
I guess no_log solves the problem by (as the name suggests) providing no log for the relevant task whatsoever. I think what we built was a callback plugin that tried to filter out just the things it identified as passwords, replacing them with ****** or something.
Of course there probably is no inherently reliable way of identifying passwords in a bunch of string output.