Skip to content

ProcessResourceDetector collects CLI args by default #5358

Description

@pmcollins

Describe your environment

No response

What happened?

ProcessResourceDetector sets process.command_args and process.command_line by default. This can be problematic from a security perspective because these attributes can contain secrets or other sensitive data from command-line arguments. Furthermore, the spec says they are both supposed to be opt-in and should not be collected by default unless sensitive data is sanitized:

https://opentelemetry.io/docs/specs/semconv/resource/process/

Steps to Reproduce

python -c 'from opentelemetry.sdk.resources import ProcessResourceDetector; r = ProcessResourceDetector().detect(); print(r.attributes.get("process.command_args")); print(r.attributes.get("process.command_line"))' --api-key=secret-value

Expected Result

ProcessResourceDetector should not collect or emit process.command_args or process.command_line by default.

Actual Result

ProcessResourceDetector collects and emits process.command_args or process.command_line by default.

Additional context

ProcessResourceDetector is not loaded by default. This issue is about the detector behavior once used.

Would you like to implement a fix?

Yes

Tip

React with 👍 to help prioritize this issue. Please use comments to provide useful context, avoiding +1 or me too, to help us triage it. Learn more here.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions