diff --git a/knip_output.txt b/knip_output.txt
new file mode 100644
index 00000000000..e9d479a4c55
--- /dev/null
+++ b/knip_output.txt
@@ -0,0 +1,3 @@
+
+> @0.0.0 knip /app
+> knip --workspace \@shopify/app
diff --git a/packages/app/src/cli/services/app/env/pull.test.ts b/packages/app/src/cli/services/app/env/pull.test.ts
index c8fd46e2488..8058faa2944 100644
--- a/packages/app/src/cli/services/app/env/pull.test.ts
+++ b/packages/app/src/cli/services/app/env/pull.test.ts
@@ -40,7 +40,7 @@ describe('env pull', () => {
       "Created ${filePath}:
 
       SHOPIFY_API_KEY=api-key
-      SHOPIFY_API_SECRET=api-secret
+      SHOPIFY_API_SECRET=******
       SCOPES=my-scope
       "
       `)
@@ -66,15 +66,15 @@ describe('env pull', () => {
       "Updated ${filePath} to be:
 
       SHOPIFY_API_KEY=api-key
-      SHOPIFY_API_SECRET=api-secret
+      SHOPIFY_API_SECRET=******
       SCOPES=my-scope
 
       Here's what changed:
 
       - SHOPIFY_API_KEY=ABC
-      - SHOPIFY_API_SECRET=XYZ
+      - SHOPIFY_API_SECRET=******
       + SHOPIFY_API_KEY=api-key
-      + SHOPIFY_API_SECRET=api-secret
+      + SHOPIFY_API_SECRET=******
       SCOPES=my-scope
         "
       `)
diff --git a/packages/app/src/cli/services/app/env/pull.ts b/packages/app/src/cli/services/app/env/pull.ts
index 422749dd02e..4aea8b3476d 100644
--- a/packages/app/src/cli/services/app/env/pull.ts
+++ b/packages/app/src/cli/services/app/env/pull.ts
@@ -34,13 +34,20 @@ export async function pullEnv({app, remoteApp, organization, envFile}: PullEnvOp
       await writeFile(envFile, updatedEnvFileContent)
 
       const diff = diffLines(envFileContent ?? '', updatedEnvFileContent)
+      const redactedDiff = diff.map((change) => ({
+        ...change,
+        value: change.value.replace(/^(SHOPIFY_API_SECRET=)(.*)$/gm, '$1******'),
+      }))
+
+      const redactedEnvFileContent = updatedEnvFileContent.replace(/^(SHOPIFY_API_SECRET=)(.*)$/gm, '$1******')
+
       return outputContent`Updated ${outputToken.path(envFile)} to be:
 
-${updatedEnvFileContent}
+${redactedEnvFileContent}
 
 Here's what changed:
 
-${outputToken.linesDiff(diff)}
+${outputToken.linesDiff(redactedDiff)}
   `
     }
   } else {
@@ -48,9 +55,11 @@ ${outputToken.linesDiff(diff)}
 
     await writeFile(envFile, newEnvFileContent)
 
+    const redactedEnvFileContent = newEnvFileContent.replace(/^(SHOPIFY_API_SECRET=)(.*)$/gm, '$1******')
+
     return outputContent`Created ${outputToken.path(envFile)}:
 
-${newEnvFileContent}
+${redactedEnvFileContent}
 `
   }
 }
diff --git a/packages/app/src/cli/services/app/env/show.test.ts b/packages/app/src/cli/services/app/env/show.test.ts
index cd3e039e7c9..5fb54348c3f 100644
--- a/packages/app/src/cli/services/app/env/show.test.ts
+++ b/packages/app/src/cli/services/app/env/show.test.ts
@@ -38,7 +38,7 @@ describe('env show', () => {
     expect(unstyled(stringifyMessage(result))).toMatchInlineSnapshot(`
     "
         SHOPIFY_API_KEY=api-key
-        SHOPIFY_API_SECRET=api-secret
+        SHOPIFY_API_SECRET=******
         SCOPES=my-scope
       "
     `)
diff --git a/packages/app/src/cli/services/app/env/show.ts b/packages/app/src/cli/services/app/env/show.ts
index a2dbab01a07..51bb478253f 100644
--- a/packages/app/src/cli/services/app/env/show.ts
+++ b/packages/app/src/cli/services/app/env/show.ts
@@ -21,16 +21,17 @@ export async function outputEnv(
 ): Promise<OutputMessage> {
   await logMetadataForLoadedContext(remoteApp, organization.source)
 
+  const redactedApiSecret = remoteApp.apiSecretKeys[0]?.secret ? '******' : ''
   if (format === 'json') {
     return outputContent`${outputToken.json({
       SHOPIFY_API_KEY: remoteApp.apiKey,
-      SHOPIFY_API_SECRET: remoteApp.apiSecretKeys[0]?.secret,
+      SHOPIFY_API_SECRET: redactedApiSecret,
       SCOPES: getAppScopes(app.configuration),
     })}`
   } else {
     return outputContent`
     ${outputToken.green('SHOPIFY_API_KEY')}=${remoteApp.apiKey}
-    ${outputToken.green('SHOPIFY_API_SECRET')}=${remoteApp.apiSecretKeys[0]?.secret ?? ''}
+    ${outputToken.green('SHOPIFY_API_SECRET')}=${redactedApiSecret}
     ${outputToken.green('SCOPES')}=${getAppScopes(app.configuration)}
   `
   }
diff --git a/packages/app/src/cli/services/info.test.ts b/packages/app/src/cli/services/info.test.ts
index 2b7acb04be0..9d89d8974e9 100644
--- a/packages/app/src/cli/services/info.test.ts
+++ b/packages/app/src/cli/services/info.test.ts
@@ -97,7 +97,7 @@ describe('info', () => {
       expect(unstyled(stringifyMessage(result))).toMatchInlineSnapshot(`
       "
           SHOPIFY_API_KEY=api-key
-          SHOPIFY_API_SECRET=api-secret
+          SHOPIFY_API_SECRET=******
           SCOPES=my-scope
         "
       `)
@@ -121,7 +121,7 @@ describe('info', () => {
       expect(unstyled(stringifyMessage(result))).toMatchInlineSnapshot(`
         "{
           "SHOPIFY_API_KEY": "api-key",
-          "SHOPIFY_API_SECRET": "api-secret",
+          "SHOPIFY_API_SECRET": "******",
           "SCOPES": "my-scope"
         }"
       `)