microsoft · ryankeithster · May 6, 2026 · May 7, 2026 · May 8, 2026 · May 8, 2026
@@ -91,8 +91,10 @@ func setLogConfiguration() error {
 				logrus.SetLevel(lvl)
 			}
 
-			if opts.ScrubLogs {
-				log.SetScrubbing(true)
+			// Scrubbing is enabled by default (via init() in internal/log/scrub.go).
+			// Only disable if the option is explicitly set to false.
+			if opts.ScrubLogs != nil && !*opts.ScrubLogs {
+				log.SetScrubbing(false)
 			}
 		}
 		_ = os.Stdin.Close()

@@ -105,8 +105,9 @@ message Options {
 	// UTC.
 	bool no_inherit_host_timezone = 19;
 
-	// scrub_logs enables removing environment variables and other potentially sensitive information from logs
-	bool scrub_logs = 20;
+	// scrub_logs controls removing environment variables and other potentially sensitive information from logs.
+	// If unset, scrubbing is enabled by default. Set explicitly to false to disable.
+	optional bool scrub_logs = 20;
 }
 
 // ProcessDetails contains additional information about a process. This is the additional

@@ -161,9 +161,10 @@ var serveCommand = cli.Command{
 
 		os.Stdin.Close()
 
-		// enable scrubbing
-		if shimOpts.ScrubLogs {
-			hcslog.SetScrubbing(true)
+		// Scrubbing is enabled by default (via init() in internal/log/scrub.go).
+		// Only disable if the option is explicitly set to false.
+		if shimOpts.ScrubLogs != nil && !*shimOpts.ScrubLogs {
+			hcslog.SetScrubbing(false)
 		}
 
 		// Force the cli.ErrWriter to be os.Stdout for this. We use stderr for

@@ -221,7 +221,7 @@ func main() {
 	disableTimeSync := flag.Bool("disable-time-sync",
 		false,
 		"If true do not run chronyd time synchronization service inside the UVM")
-	scrubLogs := flag.Bool("scrub-logs", false, "If true, scrub potentially sensitive information from logging")
+	scrubLogs := flag.Bool("scrub-logs", true, "If true, scrub potentially sensitive information from logging")
 	initialPolicyStance := flag.String("initial-policy-stance",
 		"allow",
 		"Stance: allow, deny.")

@@ -5,6 +5,7 @@ package lcow
 import (
 	"context"
 	"fmt"
+	"strconv"
 	"strings"
 
 	runhcsoptions "github.com/Microsoft/hcsshim/cmd/containerd-shim-runhcs-v1/options"
@@ -219,8 +220,9 @@ func buildGCSCommand(
 		gcsParts = append(gcsParts, "-disable-time-sync")
 	}
 
-	if opts != nil && opts.ScrubLogs {
-		gcsParts = append(gcsParts, "-scrub-logs")
+	// Scrubbing is enabled by default. Only pass the flag if explicitly set.
+	if opts != nil && opts.ScrubLogs != nil {
+		gcsParts = append(gcsParts, fmt.Sprintf("-scrub-logs=%s", strconv.FormatBool(*opts.ScrubLogs)))
 	}
 
 	if processDumpLocation != "" {

@@ -20,6 +20,7 @@ import (
 	vm "github.com/Microsoft/hcsshim/sandbox-spec/vm/v2"
 
 	"github.com/opencontainers/runtime-spec/specs-go"
+	"google.golang.org/protobuf/proto"
 )
 
 type specTestCase struct {
@@ -1638,11 +1639,11 @@ func TestBuildSandboxConfig_BootOptions(t *testing.T) {
 			},
 		},
 		{
-			name: "scrub logs option",
+			name: "scrub logs option enabled",
 			opts: &runhcsoptions.Options{
 				SandboxPlatform:   "linux/amd64",
 				BootFilesRootPath: vhdOnlyPath,
-				ScrubLogs:         true,
+				ScrubLogs:         proto.Bool(true),
 			},
 			validate: func(t *testing.T, doc *hcsschema.ComputeSystem, sandboxOpts *SandboxOptions) {
 				t.Helper()
@@ -1651,6 +1652,34 @@ func TestBuildSandboxConfig_BootOptions(t *testing.T) {
 				}
 			},
 		},
+		{
+			name: "scrub logs option disabled",
+			opts: &runhcsoptions.Options{
+				SandboxPlatform:   "linux/amd64",
+				BootFilesRootPath: vhdOnlyPath,
+				ScrubLogs:         proto.Bool(false),
+			},
+			validate: func(t *testing.T, doc *hcsschema.ComputeSystem, sandboxOpts *SandboxOptions) {
+				t.Helper()
+				if !strings.Contains(getKernelArgs(doc), "-scrub-logs=false") {
+					t.Error("expected -scrub-logs=false in kernel args")
+				}
+			},
+		},
+		{
+			name: "scrub logs option unset",
+			opts: &runhcsoptions.Options{
+				SandboxPlatform:   "linux/amd64",
+				BootFilesRootPath: vhdOnlyPath,
+			},
+			validate: func(t *testing.T, doc *hcsschema.ComputeSystem, sandboxOpts *SandboxOptions) {
+				t.Helper()
+				args := getKernelArgs(doc)
+				if strings.Contains(args, "-scrub-logs") {
+					t.Error("did not expect -scrub-logs in kernel args when unset")
+				}
+			},
+		},
 	}
 
 	runTestCases(t, ctx, nil, tests)

@@ -128,10 +128,17 @@ func initializeCreateOptions(ctx context.Context, createOptions *CreateOptions)
 		coi.actualSchemaVersion = schemaversion.DetermineSchemaVersion(coi.SchemaVersion)
 	}
 
-	log.G(ctx).WithFields(logrus.Fields{
-		"options": log.Format(ctx, createOptions),
-		"schema":  log.Format(ctx, coi.actualSchemaVersion),
-	}).Debug("hcsshim::initializeCreateOptions")
+	// Log create options if debug logging is enabled
+	if logrus.IsLevelEnabled(logrus.DebugLevel) {
+		if b, err := log.ScrubCreateOptions([]byte(log.Format(ctx, createOptions))); err != nil {
+			log.G(ctx).WithError(err).Warning("could not scrub CreateOptions")
+		} else {
+			log.G(ctx).WithFields(logrus.Fields{
+				"options": string(b),
+				"schema":  log.Format(ctx, coi.actualSchemaVersion),
+			}).Debug("hcsshim::initializeCreateOptions")
+		}
+	}
 
 	return coi, nil
 }

@@ -29,7 +29,13 @@ var (
 	_scrub atomic.Bool
 )
 
-// SetScrubbing enables scrubbing
+func init() {
+	// Scrubbing is enabled by default to prevent sensitive information
+	// (such as environment variables containing secrets) from leaking to logs.
+	_scrub.Store(true)
+}
+
+// SetScrubbing enables or disables scrubbing of potentially sensitive information from logging.
 func SetScrubbing(enable bool) { _scrub.Store(enable) }
 
 // IsScrubbingEnabled checks if scrubbing is enabled
@@ -174,6 +180,19 @@ func isRequestBase(m genMap) bool {
 	return a && c
 }
 
+// ScrubCreateOptions scrubs a JSON-encoded CreateOptions struct,
+// removing sensitive fields (env vars, annotations) from the embedded OCI Spec.
+func ScrubCreateOptions(b []byte) ([]byte, error) {
+	return scrubBytes(b, scrubCreateOptions)
+}
+
+func scrubCreateOptions(m genMap) error {
+	if spec, ok := index(m, "Spec"); ok {
+		return scrubOCISpec(spec)
+	}
+	return nil
+}
+
 // combination `m, ok := m[s]` and `m, ok := m.(genMap)`
 func index(m genMap, s string) (genMap, bool) {
 	if m, ok := m[s]; ok {

@@ -841,8 +841,10 @@ func MakeLCOWDoc(ctx context.Context, opts *OptionsLCOW, uvm *UtilityVM) (_ *hcs
 		opts.ExecCommandLine = fmt.Sprintf("%s -disable-time-sync", opts.ExecCommandLine)
 	}
 
-	if log.IsScrubbingEnabled() {
-		opts.ExecCommandLine += " -scrub-logs"
+	// Scrubbing is enabled by default in GCS. Only pass the flag when scrubbing
+	// has been explicitly disabled on the host to inform GCS to turn it off.
+	if !log.IsScrubbingEnabled() {
+		opts.ExecCommandLine += " -scrub-logs=false"
 	}
 
 	execCmdArgs += " " + opts.ExecCommandLine