Masking secrets in output logs

security

#1

I am evaluating the possibility of migrating (from Travis) a project to CircleCI but I found that environment variables with secrets are shown in the build logs. Note that I can hide them but I would be more comfortable if there is an automated mechanism to do so. I saw this post:

So I wonder if there are plans to add that feature to 2.0 in the future. Thanks in advance.


Secrets such as tokens are visible in the UI
How to prevent token leaking?
#2

It depends on what threat you’re protecting against. Some folks want this in order to stop bad actors who have gotten into a CI system from printing secrets to the console. But if you find a way to stop them doing echo secret then you won’t stop them doing echo base64(secret) or echo rot13(secret) etc. i.e. creating output that is trivially decodable.

Even if you could stop all ways in which this data could be echoed, they could just send it to a Really Evil Web Service also. :scream:

We had someone asking about this here not so long ago, and shortly after I pointed out the above, he/she deleted the entire thread. Odd!

Edit

If you are just protecting against commands where secrets have to be put into the parameters, and you know the risks above about masking, could you just use a shell script called from the YAML file?


#3

As I see it is simpler than that, I am not thinking about bad actors. I can hide everything now and I will be fine but N months from now I may be debugging something and executing env without remembering this issue. With that all the secrets present as environment variables will be exposed.

As a suggestion, I like the solution of Travis that simply puts this [secret] whenever it finds a match with the secrets it has configured. It is not perfect but it protects against accidental exposures.


#4

Fair enough! I don’t know if it is there already, but you could post to the ideas list.


#5

done, thanks for the pointer!


#6