Skip to main content
Dynamic secret scrubbing allows you to retrieve secrets at runtime from external vaults (like Azure Key Vault, AWS Secrets Manager, or HashiCorp Vault) while automatically removing those sensitive values from logs, traces, screenshots with text, and report trees. This is particularly useful for organizations that prefer not to store secrets in Checkly and want to maintain their existing secret management infrastructure. Set environment variables with the CHECKLY_SECRET_* prefix and the runtime will detect and scrub those values from all check results.

How it works

Currently, dynamic secret scrubbing is only supported for Browser and Multi-Step Checks.
Assign values to process.env.CHECKLY_SECRET_* in your check code: 
// Direct assignment
process.env.CHECKLY_SECRET_API_KEY = 'your-secret-value'

// From external sources
process.env.CHECKLY_SECRET_PASSWORD = await getFromAzureKeyVault('db-password')
process.env.CHECKLY_SECRET_TOKEN = await fetchFromVault('auth-token')
The runtime automatically detects these variables and scrubs their values from:
  • Check logs
  • Trace files
  • Screenshots containing text
  • Report trees

Supported patterns

// Bracket notation
process.env['CHECKLY_SECRET_DATABASE_URL'] = connectionString

// Direct assignment
process.env.CHECKLY_SECRET_AUTH_TOKEN = token

// Dynamic retrieval
process.env.CHECKLY_SECRET_PAYMENT_KEY = await vault.get('payment-api-key')

Limitations

  • Check types: Only works in browser and multistep checks
  • Value format: Must be a string (empty strings, null, undefined, numbers, objects, and arrays are ignored)
  • Size limit: Values cannot exceed 128KB (~128,000 characters)
  • Pattern-based detection: Scrubbing works by detecting code and output structures. Complex or unconventional Playwright usage may fall outside of this detection. Follow the documented patterns for reliable scrubbing.
// This works ✅
const apiKey = process.env.CHECKLY_SECRET_API_KEY

// This doesn't work ❌
const key = 'CHECKLY_SECRET_' + 'API_KEY'
const apiKey = process.env[key]

Example usage

import { test } from '@playwright/test'

test('API call with scrubbed credentials', async ({ page }) => {
  // Set secrets at runtime
  process.env.CHECKLY_SECRET_API_TOKEN = await getTokenFromVault()
  process.env.CHECKLY_SECRET_USER_ID = await getCurrentUserId()
  
  // Use in your test - values will be scrubbed from results
  await page.request.post('/api/data', {
    headers: {
      'Authorization': `Bearer ${process.env.CHECKLY_SECRET_API_TOKEN}`,
      'X-User-ID': process.env.CHECKLY_SECRET_USER_ID
    }
  })
})

Runtime compatibility

This feature is available from runtime 2024.09 onwards. For private locations running older agent versions, contact support for access.