Security: Gitness secrets show up on pipeline execution logs in plaintext

[dewan-ahmed]

When using a script within a run step, the Gitness secrets are printed in the pipeline execution log in plain text.

I suppose this is true for Gitness secret in general and not just for run step.

Ideally, I would like Gitness secrets to be redacted or masked in the pipeline execution log.

[DharunKumar04]

Hi @dewan-ahmed I think there is no specific feature for redacting or masking secrets in the pipeline execution log.But we can use environment variables to address the issue of Gitness secrets being printed. Once the secrets are stored in environment variables, we can then use them in the pipeline scripts without having to expose them in plain text. Using environment variables to store and use the Gitness secrets is not a perfect solution, but it's a good way to prevent them from being printed in the execution logs while they work on a more permanent solution.

[dewan-ahmed]

Thanks @DharunKumar04 . Could you please share an example? Here's a portion of my pipeline definition:

- name: cd-stage
    type: ci
    spec:
      steps:
      - name: cd-step
        type: run
        spec:
          container: alpine/k8s:1.26.9
          script: |-
            kubectl config set-cluster do-k8s-cluster --server=${{secrets.get("k8s_server")}} --insecure-skip-tls-verify=true
            kubectl config set-credentials my-user --token=${{secrets.get('gitness-sa-token')}}

How do I use the environment variable to store and use the Gitness secrets in this example? In my understanding, any reference to Gitness secret within this run step will be printed in plaintext even if it's the first instance to store it in an environment variable.

[vistaarjuneja]

Hi @dewan-ahmed , this is a known limitation at the moment. We will be rearchitecting some things and will fix this as part of that effort. Secrets being starred in logs is definitely expected behaviour :)

[dewan-ahmed]

Thanks @vistaarjuneja