Prevent logging a specific command in Concourse CI

Question

I have a shell-based concourse task which uses semi-sensitive credentials (a key to a test server) in one of its commands. I'd like to avoid this being logged in the task output.

The gist of the pipeline is:

jobs:
- name: foobar
  plan:
  <...>
  - task: build
    config:
      platform: linux
      image_resource:
        type: docker-image
        source:
          repository: ubuntu
      <...>
      run:
        path: bash
        args:
        - -exc
        - |
          command-which-is-ok-to-print
          foobar {{my-secret-data}}               # <-- hide this one!
          another-command-which-is-ok-to-print

Currently the output appears as:

+ command-which-is-ok-to-print
results of first command which are OK to print
+ foobar "oh-no-secret-data-here!"                  <-- hide this one!
more results which are OK to print
+ another-command-which-is-ok-to-print
even more results which are OK to print

Is there a way to suppress printing this specific line?

Answer 1

I twigged that -exc was actually setting the flags e and x (I'd assumed it was short-hand for execute!

The -x is what causes the commands to be echoed (by bash itself rather than concourse), so this successfully prevented a single command being executed:

  <...>
  run:
    path: bash
    args:
    - -exc
    - |
      command-which-is-ok-to-print
      set +x
      foobar {{my-secret-data}}
      set -x
      another-command-which-is-ok-to-print