CI/CD provider
Pipeline enables CI debug trace
Control: Pipeline must not enable debug trace · Config key: pipelineMustNotEnableDebugTrace
📋 What is this?
The pipeline enables CI_DEBUG_TRACE or CI_DEBUG_SERVICES, which causes GitLab CI to print all environment variables, including secrets, in the job logs.
⚠️ Impact
**This is a critical security vulnerability.** When debug trace is enabled, every secret variable (API tokens, passwords, deployment keys) is printed in plain text in the job logs. These logs may be accessible to anyone with repository access.
🔧 How to fix
Remove CI_DEBUG_TRACE and CI_DEBUG_SERVICES from your pipeline configuration. These should only be used temporarily for local debugging and must never be committed.
# .gitlab-ci.yml — ❌ Debug trace enabled (CRITICAL)variables: CI_DEBUG_TRACE: "true" # Exposes ALL secrets in logs!
deploy: stage: deploy variables: CI_DEBUG_SERVICES: "true" # Also exposes secrets script: - deploy.sh# .gitlab-ci.yml — ✅ Debug trace removedvariables: # CI_DEBUG_TRACE removed
deploy: stage: deploy script: - deploy.sh
# For debugging, use these safer alternatives:# - Add specific echo/print statements# - Use 'set -x' for specific script sections only# - Run a debug pipeline with limited access💡 Tips
- If you need to debug a CI job, use
set -xin specific script lines instead ofCI_DEBUG_TRACE. - If debug trace was ever enabled, **rotate all secrets** that may have been exposed in logs.
- Configure
pipelineMustNotEnableDebugTrace.forbiddenVariablesto also flag other sensitive debug variables. - Consider setting up CI job log retention policies to limit exposure window.
⚙️ Configuration
This control is configured in .plumber.yaml under the gitlab section:
gitlab:
controls:
pipelineMustNotEnableDebugTrace:
enabled: trueSee the CLI documentation for the full configuration reference.
Workflow enables runner debug logging
Control: Pipeline must not enable debug trace · Config key: pipelineMustNotEnableDebugTrace
📋 What is this?
Committed workflow YAML enables runner debug logging via static env: (workflow/job/step, merged per job): literal truthy values (true, 1, yes), GitHub expressions on forbidden names (cannot prove off statically), or run: lines that write a forbidden name to $GITHUB_ENV. When either toggle is on at run time, the runner prints environment variables and internal SDK calls into the job log and bypasses masking for that dump. Org/repo Variables with no YAML reference and UI-only "Re-run with debug logging" are out of scope.
⚠️ Impact
Every secret the workflow can read becomes visible to anyone with actions: read on the repository, plus to anyone who can download the log artefact (GitHub retains logs for 90 days by default). The exposure window for organisation-wide secrets, deploy tokens, and OIDC-minted cloud credentials starts the moment the run completes and lasts as long as the log is retained.
🔧 How to fix
Remove ACTIONS_STEP_DEBUG and ACTIONS_RUNNER_DEBUG from every env: block in the workflow file (workflow-level, job-level, and step-level). For per-run diagnostics, set the variables in the GitHub UI under Actions → Re-run with debug logging so they apply to a single re-run and never get committed.
# .github/workflows/ci.yml — ❌ Runner debug logging committedname: cion: [push]env: ACTIONS_STEP_DEBUG: "true" # exposes every secret in the job logjobs: build: runs-on: ubuntu-latest steps: - run: ./build.sh# .github/workflows/ci.yml — ✅ No debug toggles in the workflow filename: cion: [push]jobs: build: runs-on: ubuntu-latest steps: - run: ./build.sh
# .plumber.yamlgithub: controls: pipelineMustNotEnableDebugTrace: enabled: true forbiddenVariables: - ACTIONS_STEP_DEBUG - ACTIONS_RUNNER_DEBUG💡 Tips
- Literal
env:truthy values and${{ }}bindings on forbidden names are both flagged.run:steps that write a forbidden name to$GITHUB_ENVare flagged too. - Workflow-, job-, and step-level
env:are all scanned (merged into each job). A workflow-level toggle produces one finding per affected job. - A
run:line that writes a forbidden name to$GITHUB_ENVwithout using that exact name in the script text (e.g. via a shell variable) is out of scope. - If either toggle ever shipped to main, rotate every secret the affected workflow could read. Extend
forbiddenVariablesfor custom runner diagnostics.
⚙️ Configuration
This control is configured in .plumber.yaml under the github section:
github:
controls:
pipelineMustNotEnableDebugTrace:
enabled: trueSee the CLI documentation for the full configuration reference.