Output when using secure variables should be 'secured'

Ryan's Avatar


27 Sep, 2015 11:34 PM

When the console output is processed, if the value of a secure variable is detected, it should replace it with something else like '********' or [SECURE_VARIABLE_NAME].

In most cases, when writing scripts, people wont print out their variable values, but, if the script errors for some reason, there is a chance that the value that was passed to it will be printed in the build log.

  1. Support Staff 1 Posted by Feodor Fitsner on 28 Sep, 2015 12:48 AM

    Feodor Fitsner's Avatar

    Well, there is no way to distinguish secure and "regular" variables are they are all essentially environment variables.

  2. 2 Posted by Ryan on 28 Sep, 2015 01:15 AM

    Ryan's Avatar

    Yeah, I actually sort of figured that is how they worked. It just makes secure variables very insecure if something dumps them out, without the knowledge of the "the user". Because now their API key, or signing cert password is now in the build log for the world to see.

    In my example, a ps script failed to load because of a typo, and all the values that were passed to it were dumped to the log in the exception message.

  3. Support Staff 3 Posted by Feodor Fitsner on 28 Sep, 2015 01:20 AM

    Feodor Fitsner's Avatar

    Right, you should be careful about exposing them. Once they exposed to the public update that sensitive information (password, tokens, keys, etc.)

    The main protection mechanism for secure variables - they are not set for PR builds so people not having commit right to the repo can't list them.

  4. Ilya Finkelshteyn closed this discussion on 25 Aug, 2018 02:00 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac