diff --git a/pkg/dagger.io/dagger/engine/transformsecret.cue b/pkg/dagger.io/dagger/engine/transformsecret.cue
new file mode 100644
index 00000000..1eae9459
--- /dev/null
+++ b/pkg/dagger.io/dagger/engine/transformsecret.cue
@@ -0,0 +1,17 @@
+package engine
+
+// Securely apply a CUE transformation on the contents of a secret
+#TransformSecret: {
+	$dagger: task: _name: "TransformSecret"
+	// The original secret
+	input: #Secret
+	// A new secret with the transformation applied
+	output: #Secret
+	// Transformation function
+	#function: {
+		// Full contents of the input secret (only available to the function)
+		input: string
+		// New contents of the output secret (must provided by the caller)
+		output: string
+	}
+}
diff --git a/plan/task/transformsecret.go b/plan/task/transformsecret.go
new file mode 100644
index 00000000..4184d863
--- /dev/null
+++ b/plan/task/transformsecret.go
@@ -0,0 +1,47 @@
+package task
+
+import (
+	"context"
+	"errors"
+
+	"cuelang.org/go/cue"
+	"github.com/rs/zerolog/log"
+	"go.dagger.io/dagger/compiler"
+	"go.dagger.io/dagger/plancontext"
+	"go.dagger.io/dagger/solver"
+)
+
+func init() {
+	Register("TransformSecret", func() Task { return &transformSecretTask{} })
+}
+
+type transformSecretTask struct {
+}
+
+func (c *transformSecretTask) Run(ctx context.Context, pctx *plancontext.Context, _ solver.Solver, v *compiler.Value) (*compiler.Value, error) {
+	lg := log.Ctx(ctx)
+	lg.Debug().Msg("transforming secret")
+
+	input := v.Lookup("input")
+	if !plancontext.IsSecretValue(input) {
+		return nil, errors.New("#TransformSecret requires input: #Secret")
+	}
+
+	inputSecret, err := pctx.Secrets.FromValue(input)
+	if err != nil {
+		return nil, err
+	}
+
+	function := v.Lookup("#function")
+	function.FillPath(cue.ParsePath("input"), inputSecret.PlainText())
+
+	outputPlaintext, err := function.Lookup("output").String()
+	if err != nil {
+		return nil, err
+	}
+
+	outputSecret := pctx.Secrets.New(outputPlaintext)
+	return compiler.NewValue().FillFields(map[string]interface{}{
+		"output": outputSecret.MarshalCUE(),
+	})
+}