in-toto · Horiodino · Mar 10, 2025
diff --git a/cmd/run.go b/cmd/run.go
@@ -131,7 +131,7 @@ func runRun(ctx context.Context, ro options.RunOptions, args []string, signers .
 	for _, dirHashGlobItem := range ro.DirHashGlobs {
 		_, err := glob.Compile(dirHashGlobItem)
 		if err != nil {
-			return fmt.Errorf("failed to compile glob: %v", err)	
+			return fmt.Errorf("failed to compile glob: %v", err)
 		}
 	}
 
@@ -144,7 +144,7 @@ func runRun(ctx context.Context, ro options.RunOptions, args []string, signers .
 			attestation.WithHashes(roHashes),
 			attestation.WithDirHashGlob(ro.DirHashGlobs),
 			attestation.WithEnvCapturer(
-				ro.EnvAddSensitiveKeys, ro.EnvExcludeSensitiveKeys, ro.EnvDisableSensitiveVars, ro.EnvFilterSensitiveVars,
+				ro.EnvAddSensitiveKeys, ro.EnvAllowSensitiveKeys, ro.EnvDisableSensitiveVars, ro.EnvFilterSensitiveVars,
 			),
 		),
 		witness.RunWithTimestampers(timestampers...),

diff --git a/docs/attestors/environment.md b/docs/attestors/environment.md
@@ -24,7 +24,7 @@ you can use `--env-add-sensitive-key 'FOO'` for `FOO` or
 
 There could be cases where you really want to have a specific key that is part
 of the default sensitive vars list to be captured. You can do so by using the
-`--env-exclude-sensitive-key`.
+`--env-allow-sensitive-key`.
 
 ## Default sensitive vars
 

diff --git a/docs/commands.md b/docs/commands.md
@@ -54,7 +54,7 @@ witness run [cmd] [flags]
       --enable-archivista                             Use Archivista to store or retrieve attestations
       --env-add-sensitive-key strings                 Add keys or globs (e.g. '*TEXT') to the list of sensitive environment keys.
       --env-disable-default-sensitive-vars            Disable the default list of sensitive vars and only use the items mentioned by --add-sensitive-key.
-      --env-exclude-sensitive-key strings             Exclude specific keys from the list of sensitive environment keys. Note: This does not support globs.
+      --env-allow-sensitive-key strings             Allow specific keys from the list of sensitive environment keys. Note: This does not support globs.
       --env-filter-sensitive-vars                     Switch from obfuscate to filtering variables which removes them from the output completely.
       --hashes strings                                Hashes selected for digest calculation. Defaults to SHA256 (default [sha256])
   -h, --help                                          help for run
@@ -260,4 +260,3 @@ witness version [flags]
 ### SEE ALSO
 
 * [witness](witness.md)	 - Collect and verify attestations about your build environments
-
diff --git a/options/run.go b/options/run.go
@@ -38,7 +38,7 @@ type RunOptions struct {
 	EnvFilterSensitiveVars   bool
 	EnvDisableSensitiveVars  bool
 	EnvAddSensitiveKeys      []string
-	EnvExcludeSensitiveKeys  []string
+	EnvAllowSensitiveKeys    []string
 }
 
 var RequiredRunFlags = []string{
@@ -67,7 +67,7 @@ func (ro *RunOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().BoolVarP(&ro.EnvFilterSensitiveVars, "env-filter-sensitive-vars", "", false, "Switch from obfuscate to filtering variables which removes them from the output completely.")
 	cmd.Flags().BoolVarP(&ro.EnvDisableSensitiveVars, "env-disable-default-sensitive-vars", "", false, "Disable the default list of sensitive vars and only use the items mentioned by --add-sensitive-key.")
 	cmd.Flags().StringSliceVar(&ro.EnvAddSensitiveKeys, "env-add-sensitive-key", []string{}, "Add keys or globs (e.g. '*TEXT') to the list of sensitive environment keys.")
-	cmd.Flags().StringSliceVar(&ro.EnvExcludeSensitiveKeys, "env-exclude-sensitive-key", []string{}, "Exclude specific keys from the list of sensitive environment keys. Note: This does not support globs.")
+	cmd.Flags().StringSliceVar(&ro.EnvAllowSensitiveKeys, "env-allow-sensitive-key", []string{}, "Allow specific keys from the list of sensitive environment keys. Note: This does not support globs.")
 
 	cmd.MarkFlagsRequiredTogether(RequiredRunFlags...)