Simple protection of CI secret variables
Problem to Solve
It would be cool to have a simple protection of secret variables (e.g. credentials like username, password) in the build log output, mainly to protect against unintentional leaking of secret values.
Reference from Jenkins: https://wiki.jenkins-ci.org/display/JENKINS/Mask+Passwords+Plugin
- In case some software is invoked in the build process shows the password (e.g. debug log or similar)
- Example: testing of chef cookbooks, which access some password protected sources to fetch the software, which is invoked in the test procedure.
- It would be a very easy protection for most cases where some secret might get visible in the log
- Simple string replacement on secret variable value in build log
- Additional checkbox in the Gitlab UI (see screenshow below)
- Gitlab CI runner gets information if protection is required and does the replacement in the build log
Important to note that there are lots of other ways to exfiltrate sensitive information. This would only really protect against unintentional output of sensitive values in the output. This needs to be clear when turning the feature on (similar to the warning in incognito mode in your browser that it isn't truly making you invisible.)