Log SAST analyzer CI/CD variables to support debugging and config
Problem
SAST supports a huge variety of CI/CD variables that users may customize.
Configurations are:
- Often necessary to provide support (whether through GitLab Support or issues)
- Easy to mis-type or otherwise overlook
Proposal
Output the configuration of the analyzer at the beginning of the analyzer's job log.
The scope of the information outputted should be the information specific to the analyzer—not every CI/CD variable that is in the job context. For example, knowing the values of SAST_EXCLUDED_PATHS
or COMPILE
can be critical to understanding a support query.
If necessary, this can be restricted to debug
log level, since:
- users who are debugging would likely benefit from this information.
- we encourage users to enable
debug
level when needed, and will continue to do so.
However, if the values aren't potentially sensitive or overly verbose, it would make sense to include them in info
(the default level).
Important caution
CI/CD variables can have sensitive values like tokens; these present a security risk if shared. Any solution we adopt must not lead a user to unwittingly expose sensitive information in their job logs. (For example, see the cautions on the CI_DEBUG_TRACE option.)