Hiding passwords from Exec tasks

We currently call a lot of command-line utilities using Exec from some legacy solutions we integrate Gradle with. Some of those CLIs have passwords passed to them. All of the Exec calls are being made in Gradle plugins that we wrote for this functionality.

My question: are there ways to hide these? Some of the solutions I’m considering:

  1. Write a custom logger that overrides the Gradle INFO logger (is this even possible?) with some regular expression logic to replace passwords with “********” type stuff… similar to what Jenkins does when it recognizes passwords.
  2. Most of the command-line utilities we use have functionality where, if the password is not provided, it prompts for it. The only issue… there are multiple passwords that get passed, and they get prompted for in no particular order, so I’d need a way of checking for which password, provide the current one, etc. It’s a mess.
  3. Using the credentials plugin (or similar) for configuring encrypted (or at least hidden) password values. I’d prefer not to go this route because the CI servers have functionality for this.
    4 Modify the standardInput portion of the Exec call to not write the CLI call to standard out. However… there’s good information in seeing this when we want to.

I’d be thankful for any solutions… but also, just any ideas or opinions about approaches, etc.

Thank you.