<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=16364) </details> <!--IssueSummary end--> ### Description In gitlab-ce#21911, user error is discussed as one of the ways build secrets can end up leaking. Currently, when a gitlab authentication token is displayed in build output, it will be automatically redacted. It would be nice to extend this concept to other arbitrary strings. This could be done by having regexes configurable in the runner, and/or specifying that the contents of certain environment variables are not allowed to be sent back in build output. If $SOME_VAR=asdkjf0129301923123, and SOME_VAR has been specified as 'taboo', then the runner would replace any occurance of 'asdkjf0129301923123' in the build logs with '***REDACTED***' prior to sending the build log back to the mothership. This could also protect against cases where unexpected events (i.e. a crash/exception) end up causing build secrets to be displayed, possibly without a direct mistake by the user. This is related to gitlab-ce#13784 but is instead relating to the case where build secrets are injected by having them present on a runner. Having the runner itself configured to redact reduces the scope of systems which are are likely to be exposed to the information and/or have the capability to cause the information to be exposed.