Pipeline enables CI debug trace
Control: Pipeline must not enable debug trace · Config key: pipelineMustNotEnableDebugTrace
📋 What is this?
The pipeline enables CI_DEBUG_TRACE or CI_DEBUG_SERVICES, which causes GitLab CI to print all environment variables, including secrets, in the job logs.
⚠️ Impact
**This is a critical security vulnerability.** When debug trace is enabled, every secret variable (API tokens, passwords, deployment keys) is printed in plain text in the job logs. These logs may be accessible to anyone with repository access.
🔧 How to fix
Remove CI_DEBUG_TRACE and CI_DEBUG_SERVICES from your pipeline configuration. These should only be used temporarily for local debugging and must never be committed.
# .gitlab-ci.yml — ❌ Debug trace enabled (CRITICAL)variables: CI_DEBUG_TRACE: "true" # Exposes ALL secrets in logs!
deploy: stage: deploy variables: CI_DEBUG_SERVICES: "true" # Also exposes secrets script: - deploy.sh# .gitlab-ci.yml — ✅ Debug trace removedvariables: # CI_DEBUG_TRACE removed
deploy: stage: deploy script: - deploy.sh
# For debugging, use these safer alternatives:# - Add specific echo/print statements# - Use 'set -x' for specific script sections only# - Run a debug pipeline with limited access💡 Tips
- If you need to debug a CI job, use
set -xin specific script lines instead ofCI_DEBUG_TRACE. - If debug trace was ever enabled, **rotate all secrets** that may have been exposed in logs.
- Configure
pipelineMustNotEnableDebugTrace.forbiddenVariablesto also flag other sensitive debug variables. - Consider setting up CI job log retention policies to limit exposure window.
⚙️ Configuration
This control is configured in .plumber.yaml under the key:
controls:
pipelineMustNotEnableDebugTrace:
enabled: trueSee the CLI documentation for the full configuration reference.