Keep Variables Masked during Debug Logging, add Flag to Unmask
Release notes
Enhanced security during debug logging by keeping masked variables as masked in logs. Variables should continue be masked by default during debug logging, but a flag is to be explicitly set to allow variables to be unmasked if required for troubleshooting.
Problem to solve
At present, when debug logging is enabled in the .gitlab-ci.yml job by setting the CI_DEBUG_TRACE
variable to true
, masked variables are unmasked and stored in clear text. If the logs are shipped to an external system for consumption, the masked variables, that may contain secrets, will be exposed in the 3rd party systems to unauthorised teams.
Unmasking variables may not be the intent of the debugging session and therefore a user may not explicitly remember to deactivate debug logging after a session that did not require them. By explicity defining a flag to activate variable unmasking, a visual cue is provided to a user to deactivate it after a debug session.
This would also allow projects to be scanned periodically to check pipelines that have the flag set to true.
Proposal
Explicitly require a user to enable masked variables unmasking when debug logging is enabled.
Add new job variable CI_DEBUG_TRACE_UNMASK
, if when set to true, variables will be unmasked .
job_name:
variables:
CI_DEBUG_TRACE_UNMASK: "true"
Intended users
- Software Developer
- Platform Engineer
- Software Engineer in Test
Feature Usage Metrics
Count of jobs with variable set to true.
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.