ISSUE-202 Medium Quick CI/CD Variables
Unmasked variable
Control: CI/CD variables must be masked · Config key: cicdVariablesMustBeMasked
📋 What is this?
A CI/CD variable stored in a GitLab project or group is not masked, causing its value to be exposed in pipeline logs.
⚠️ Impact
Exposed variable values can result in unauthorized access to your sensitive data. For instance, if your database password is visible in logs, it can be exploited to gain direct database access.
🔧 How to fix
Mask the CI/CD variable to hide its value in logs.
✗ Before The unmasked variable value appears in plain text in job logs.
# GitLab project settings — ❌ Variable not masked# Settings > CI/CD > Variables:## Key: DATABASE_PASSWORD# Value: MySecretP@ssw0rd!# Masked: false ← Value will appear in job logs## Job log output (anyone with access can read this):# $ echo $DATABASE_PASSWORD# MySecretP@ssw0rd!✓ After Masking the variable hides its value in all pipeline logs.
# GitLab project settings — ✅ Variable masked# Settings > CI/CD > Variables:## Key: DATABASE_PASSWORD# Value: MySecretP@ssw0rd!# Masked: true ← Value is hidden in logs as [MASKED]## Job log output (value is hidden):# $ echo $DATABASE_PASSWORD# [MASKED]## .plumber.yamlcontrols: cicdVariablesMustBeMasked: enabled: true💡 Tips
- Enable masking in GitLab under **Settings > CI/CD > Variables**.
- GitLab requires masked values to meet certain format requirements (at least 8 characters, no spaces).
- For variables that cannot be masked due to format, consider using an external secrets manager.
- Combine with protection (see ISSUE-201) for full coverage.
⚙️ Configuration
This control is configured in .plumber.yaml under the key:
controls:
cicdVariablesMustBeMasked:
enabled: trueSee the CLI documentation for the full configuration reference.