I am starting to use this utility to handle our database migrations. One thing that is missing is the ability to suppress any user created SQL's password.

When this is run in Jenkins, this output can be saved and the users password can be exposed.

I could suppress all output by redirecting all output to /dev/null, but seeing the SQL statements during a migration is helpful.

for example:

CREATE USER testuser WITH PASSWORD 'testpass'; GRANT CONNECT ON DATABASE adl TO testuser;

could be masked with:

CREATE USER testuser WITH PASSWORD '*****'; GRANT CONNECT ON DATABASE test TO testuser;

tern doesn't have a way to know what text to redact.

Instead of redirecting to /dev/null you could redirect to sed, perl, ruby, or the like and do your filtering there.

e.g.

$ echo "CREATE USER testuser WITH PASSWORD 'testpass'; GRANT CONNECT ON DATABASE adl TO testuser;" | ruby -pe '$_.gsub!(/(?<=password '\'').*?(?='\'')/i, '\''***'\'')'
CREATE USER testuser WITH PASSWORD '***'; GRANT CONNECT ON DATABASE adl TO testuser;

Obviously the combination of regex and shell escaping is pretty brutal, but the redaction could be extracted into its own script and the results of tern piped into there.