microsoft · ryankeithster · May 6, 2026 · May 7, 2026 · helsaawy · May 7, 2026
@@ -91,8 +91,10 @@ func setLogConfiguration() error {
 				logrus.SetLevel(lvl)
 			}
 
-			if opts.ScrubLogs {
-				log.SetScrubbing(true)
+			// Scrubbing is enabled by default (via init() in internal/log/scrub.go).
+			// Only disable if the option is explicitly set to false.
+			if opts.ScrubLogs != nil && !*opts.ScrubLogs {
+				log.SetScrubbing(false)
 			}
 		}
 		_ = os.Stdin.Close()

@@ -105,8 +105,9 @@ message Options {
 	// UTC.
 	bool no_inherit_host_timezone = 19;
 
-	// scrub_logs enables removing environment variables and other potentially sensitive information from logs
-	bool scrub_logs = 20;
+	// scrub_logs controls removing environment variables and other potentially sensitive information from logs.
+	// If unset, scrubbing is enabled by default. Set explicitly to false to disable.
+	optional bool scrub_logs = 20;
 }
 
 // ProcessDetails contains additional information about a process. This is the additional

@@ -161,9 +161,10 @@ var serveCommand = cli.Command{
 
 		os.Stdin.Close()
 
-		// enable scrubbing
-		if shimOpts.ScrubLogs {
-			hcslog.SetScrubbing(true)
+		// Scrubbing is enabled by default (via init() in internal/log/scrub.go).
+		// Only disable if the option is explicitly set to false.
+		if shimOpts.ScrubLogs != nil && !*shimOpts.ScrubLogs {
+			hcslog.SetScrubbing(false)
 		}
 
 		// Force the cli.ErrWriter to be os.Stdout for this. We use stderr for

@@ -221,7 +221,7 @@ func main() {
 	disableTimeSync := flag.Bool("disable-time-sync",
 		false,
 		"If true do not run chronyd time synchronization service inside the UVM")
-	scrubLogs := flag.Bool("scrub-logs", false, "If true, scrub potentially sensitive information from logging")
+	scrubLogs := flag.Bool("scrub-logs", true, "If true, scrub potentially sensitive information from logging")
 	initialPolicyStance := flag.String("initial-policy-stance",
 		"allow",
 		"Stance: allow, deny.")

@@ -219,7 +219,10 @@ func buildGCSCommand(
 		gcsParts = append(gcsParts, "-disable-time-sync")
 	}
 
-	if opts != nil && opts.ScrubLogs {
+	// Scrubbing is enabled by default. Only pass -scrub-logs=false if explicitly disabled.
+	if opts != nil && opts.ScrubLogs != nil && !*opts.ScrubLogs {
+		gcsParts = append(gcsParts, "-scrub-logs=false")
+	} else {
 		gcsParts = append(gcsParts, "-scrub-logs")
 	}
 

@@ -20,6 +20,7 @@ import (
 	vm "github.com/Microsoft/hcsshim/sandbox-spec/vm/v2"
 
 	"github.com/opencontainers/runtime-spec/specs-go"
+	"google.golang.org/protobuf/proto"
 )
 
 type specTestCase struct {
@@ -1638,11 +1639,11 @@ func TestBuildSandboxConfig_BootOptions(t *testing.T) {
 			},
 		},
 		{
-			name: "scrub logs option",
+			name: "scrub logs option enabled",
 			opts: &runhcsoptions.Options{
 				SandboxPlatform:   "linux/amd64",
 				BootFilesRootPath: vhdOnlyPath,
-				ScrubLogs:         true,
+				ScrubLogs:         proto.Bool(true),
 			},
 			validate: func(t *testing.T, doc *hcsschema.ComputeSystem, sandboxOpts *SandboxOptions) {
 				t.Helper()
@@ -1651,6 +1652,37 @@ func TestBuildSandboxConfig_BootOptions(t *testing.T) {
 				}
 			},
 		},
+		{
+			name: "scrub logs option disabled",
+			opts: &runhcsoptions.Options{
+				SandboxPlatform:   "linux/amd64",
+				BootFilesRootPath: vhdOnlyPath,
+				ScrubLogs:         proto.Bool(false),
+			},
+			validate: func(t *testing.T, doc *hcsschema.ComputeSystem, sandboxOpts *SandboxOptions) {
+				t.Helper()
+				if !strings.Contains(getKernelArgs(doc), "-scrub-logs=false") {
+					t.Error("expected -scrub-logs=false in kernel args")
+				}
+			},
+		},
+		{
+			name: "scrub logs option unset",
+			opts: &runhcsoptions.Options{
+				SandboxPlatform:   "linux/amd64",
+				BootFilesRootPath: vhdOnlyPath,
+			},
+			validate: func(t *testing.T, doc *hcsschema.ComputeSystem, sandboxOpts *SandboxOptions) {
+				t.Helper()
+				args := getKernelArgs(doc)
+				if !strings.Contains(args, "-scrub-logs") {
+					t.Error("expected -scrub-logs in kernel args")
+				}
+				if strings.Contains(args, "-scrub-logs=false") {
+					t.Error("did not expect -scrub-logs=false in kernel args")
+				}
+			},
+		},
 	}
 
 	runTestCases(t, ctx, nil, tests)

@@ -129,7 +129,7 @@ func initializeCreateOptions(ctx context.Context, createOptions *CreateOptions)
 	}
 
 	log.G(ctx).WithFields(logrus.Fields{
-		"options": log.Format(ctx, createOptions),
+		"options": log.FormatScrub(ctx, createOptions, log.ScrubCreateOptions),
 		"schema":  log.Format(ctx, coi.actualSchemaVersion),
 	}).Debug("hcsshim::initializeCreateOptions")
-	log.G(ctx).WithFields(logrus.Fields{
-		"options": log.Format(ctx, createOptions),
-		"options": log.FormatScrub(ctx, createOptions, log.ScrubCreateOptions),
-		"schema":  log.Format(ctx, coi.actualSchemaVersion),
-	}).Debug("hcsshim::initializeCreateOptions")
+	if logrus.IsLevelEnabled(logrus.DebugLevel) {
+		if b, err := log.ScrubCreateOptions([]byte(log.Format(ctx, createOptions))); err != nil {
+			log.G(ctx).WithError(err).Warning("could not scrub CreateOptions")
+		} else {
+			log.G(ctx).WithFields(logrus.Fields{
+				"options": string(b)
+				"schema":  log.Format(ctx, coi.actualSchemaVersion),
+			}).Debug("hcsshim::initializeCreateOptions")
+		}
+	}
-	log.G(ctx).WithFields(logrus.Fields{
-		"options": log.Format(ctx, createOptions),
-		"options": log.FormatScrub(ctx, createOptions, log.ScrubCreateOptions),
-		"schema":  log.Format(ctx, coi.actualSchemaVersion),
-	}).Debug("hcsshim::initializeCreateOptions")
+	if logrus.IsLevelEnabled(logrus.DebugLevel) {
+		if b, err := log.ScrubCreateOptions([]byte(log.Format(ctx, createOptions))); err != nil {
+			log.G(ctx).WithError(err).Warning("could not scrub CreateOptions")
+		} else {
+			log.G(ctx).WithFields(logrus.Fields{
+				"options": string(b)
+				"schema":  log.Format(ctx, coi.actualSchemaVersion),
+			}).Debug("hcsshim::initializeCreateOptions")
+		}
+	}
 

@@ -76,6 +76,30 @@ func Format(ctx context.Context, v interface{}) string {
 	return string(b)
 }
 
+// FormatScrub formats a value as JSON and then applies a scrub function to remove
+// potentially sensitive information before logging.
+func FormatScrub(ctx context.Context, v interface{}, scrub func([]byte) ([]byte, error)) string {
+	b, err := encode(v)
+	if err != nil {
+		G(ctx).WithFields(logrus.Fields{
+			logrus.ErrorKey: err,
+			"type":          fmt.Sprintf("%T", v),
+		}).Debug("could not format value")
+		return ""
+	}
+
+	b, err = scrub(b)
+	if err != nil {
+		G(ctx).WithFields(logrus.Fields{
+			logrus.ErrorKey: err,
+			"type":          fmt.Sprintf("%T", v),
+		}).Debug("could not scrub value")
+		return ""
+	}
+
+	return string(b)
+}
-func FormatScrub(ctx context.Context, v interface{}, scrub func([]byte) ([]byte, error)) string {
-	b, err := encode(v)
-	if err != nil {
-		G(ctx).WithFields(logrus.Fields{
-			logrus.ErrorKey: err,
-			"type":          fmt.Sprintf("%T", v),
-		}).Debug("could not format value")
-		return ""
-	}
-
-	b, err = scrub(b)
-	if err != nil {
-		G(ctx).WithFields(logrus.Fields{
-			logrus.ErrorKey: err,
-			"type":          fmt.Sprintf("%T", v),
-		}).Debug("could not scrub value")
-		return ""
-	}
-
-	return string(b)
-}
+func FormatScrub(ctx context.Context, v any, scrub func([]byte) ([]byte, error)) string {
+	s := Format(ctx, v)
+	if s == "" {
+		return ""
+	}	
+	b, err := scrub([]byte(s))
+	if err != nil {
+		G(ctx).WithFields(logrus.Fields{
+			logrus.ErrorKey: err,
+			"type":          fmt.Sprintf("%T", v),
+		}).Debug("could not scrub value")
+	}
+
+	return string(b)
+}
-func FormatScrub(ctx context.Context, v interface{}, scrub func([]byte) ([]byte, error)) string {
-	b, err := encode(v)
-	if err != nil {
-		G(ctx).WithFields(logrus.Fields{
-			logrus.ErrorKey: err,
-			"type":          fmt.Sprintf("%T", v),
-		}).Debug("could not format value")
-		return ""
-	}
-
-	b, err = scrub(b)
-	if err != nil {
-		G(ctx).WithFields(logrus.Fields{
-			logrus.ErrorKey: err,
-			"type":          fmt.Sprintf("%T", v),
-		}).Debug("could not scrub value")
-		return ""
-	}
-
-	return string(b)
-}
+func FormatScrub(ctx context.Context, v any, scrub func([]byte) ([]byte, error)) string {
+	s := Format(ctx, v)
+	if s == "" {
+		return ""
+	}	
+	b, err := scrub([]byte(s))
+	if err != nil {
+		G(ctx).WithFields(logrus.Fields{
+			logrus.ErrorKey: err,
+			"type":          fmt.Sprintf("%T", v),
+		}).Debug("could not scrub value")
+	}
+
+	return string(b)
+}
+
 func encode(v interface{}) (_ []byte, err error) {
 	if m, ok := v.(proto.Message); ok {
 		// use canonical JSON encoding for protobufs (instead of [encoding/json])

@@ -29,7 +29,13 @@ var (
 	_scrub atomic.Bool
 )
 
-// SetScrubbing enables scrubbing
+func init() {
+	// Scrubbing is enabled by default to prevent sensitive information
+	// (such as environment variables containing secrets) from leaking to logs.
+	_scrub.Store(true)
+}
+
+// SetScrubbing enables or disables scrubbing of potentially sensitive information from logging.
 func SetScrubbing(enable bool) { _scrub.Store(enable) }
 
 // IsScrubbingEnabled checks if scrubbing is enabled
@@ -174,6 +180,19 @@ func isRequestBase(m genMap) bool {
 	return a && c
 }
 
+// ScrubCreateOptions scrubs a JSON-encoded CreateOptions struct,
+// removing sensitive fields (env vars, annotations) from the embedded OCI Spec.
+func ScrubCreateOptions(b []byte) ([]byte, error) {
+	return scrubBytes(b, scrubCreateOptions)
+}
+
+func scrubCreateOptions(m genMap) error {
+	if spec, ok := index(m, "Spec"); ok {
+		return scrubOCISpec(spec)
+	}
+	return nil
+}
+
 // combination `m, ok := m[s]` and `m, ok := m.(genMap)`
 func index(m genMap, s string) (genMap, bool) {
 	if m, ok := m[s]; ok {