diff --git a/cmd/git-sync/main.go b/cmd/git-sync/main.go
index aa06fdc..5186f68 100644
--- a/cmd/git-sync/main.go
+++ b/cmd/git-sync/main.go
@@ -430,7 +430,8 @@ func main() {
 		"uid", os.Getuid(),
 		"gid", os.Getgid(),
 		"home", os.Getenv("HOME"),
-		"args", logSafeArgs(os.Args))
+		"args", logSafeArgs(os.Args),
+		"env", logSafeEnv(os.Environ()))
 
 	if _, err := exec.LookPath(*flGitCmd); err != nil {
 		log.Error(err, "ERROR: git executable not found", "git", *flGitCmd)
@@ -717,16 +718,16 @@ func main() {
 	}
 }
 
+const redactedString = "<REDACTED>"
+
 // logSafeArgs makes sure any sensitive args (e.g. passwords) are redacted
 // before logging.
 func logSafeArgs(args []string) []string {
-	const redacted = "<REDACTED>"
-
 	ret := make([]string, len(args))
 	redact := false
 	for i, arg := range args {
 		if redact {
-			ret[i] = redacted
+			ret[i] = redactedString
 			redact = false
 			continue
 		}
@@ -734,13 +735,26 @@ func logSafeArgs(args []string) []string {
 			redact = true
 		}
 		if strings.HasPrefix(arg, "--password=") {
-			arg = "--password=" + redacted
+			arg = "--password=" + redactedString
 		}
 		ret[i] = arg
 	}
 	return ret
 }
 
+// logSafeEnv makes sure any sensitive env vars (e.g. passwords) are redacted
+// before logging.
+func logSafeEnv(env []string) []string {
+	ret := make([]string, len(env))
+	for i, ev := range env {
+		if strings.HasPrefix(ev, "GIT_SYNC_PASSWORD=") {
+			ev = "GIT_SYNC_PASSWORD=" + redactedString
+		}
+		ret[i] = ev
+	}
+	return ret
+}
+
 func normalizePath(path string) (string, error) {
 	delinked, err := filepath.EvalSymlinks(path)
 	if err != nil {