Overview
CircleCI has a secret masking feature to help keep environment variables private and this feature automatically masks environment variables that are written to the build log.
Any environment variables which are set within a single project's settings or within an Organization context are subject to this masking.
Secret Masking Feature
- Any values that are used in Contexts or Environment variables are subject to masking provided that they:
- Are greater than 4 characters
- Are NOT equal to :
true
,True
,false
, orFalse
- Secret masking is only applied in step outputs using
echo
orprint
comands- Re-running a job with SSH will allow users to see these values without obfuscation
Additional Notes:
- The CircleCI Support Engineering team is able to disable this feature on a per-project basis. An organization admin can open a submit a request to the CircleCI Support team to request this action to be taken.
- Values like
circleci
and other secrets which may not seem sensitive are subject to masking if they are in an Environment Variable- A common occurence of this is if using the Slack orb Context with a Channel name such as
circleci
- A common occurence of this is if using the Slack orb Context with a Channel name such as
- A feature request to enable adding values to an allow-list for Secret Masking can be found here.
Comments
Article is closed for comments.