Skip to content
Exlogare
← Back to all posts
by Exlogare Team CI/CD security logs DevOps

How to send CI logs to an external service without leaking secrets

A practical checklist for junior and mid-level engineers: which parts of a CI log are safe to send, what to redact first, and how to avoid turning debugging into a token leak.

A CI log looks harmless: a few thousand lines of build output, tests, deploy steps, and stack traces. In practice it can contain tokens, basic-auth URLs, environment variables, internal service names, and fragments of test data. The real question is not “can we send logs out?” but which slice of the log, after which cleanup, and for how long.

This guide is for engineers who already use GitLab CI, GitHub Actions, Jenkins, or TeamCity, but do not want to become security specialists just to connect failure diagnostics.

Quick primer

A CI log is the text output of a job: commands, stdout/stderr, stack traces, test messages, and sometimes tool debug output. Redaction means replacing secrets with safe placeholders such as [REDACTED_TOKEN]. RCA (root cause analysis) is a short answer: what failed, why it likely failed, and what to check first.

Safe log transfer is built on three simple rules:

  • send only the data needed for diagnostics;
  • redact secrets before sending;
  • do not keep raw logs longer than needed.

What not to send wholesale

Avoid sending an entire pipeline log “just in case.” In real projects it may include:

  • env, printenv, or set -x output;
  • Terraform, Helm, and kubectl parameters;
  • test database dumps and fixture data;
  • URLs like https://user:password@host;
  • stack traces with request payloads;
  • verbose package-manager output.

For first-pass RCA, the last 200–500 lines of the failed step are usually enough, plus metadata: provider, project, branch, commit SHA, job name, exit code, and a pipeline URL.

A minimal safe setup

  1. Use masked/protected variables in your CI system.
  2. Do not print secrets with echo, env, or set -x.
  3. Send the failed job, not the entire pipeline.
  4. Redact before sending: tokens, JWTs, private keys, AWS/GCP keys, and basic-auth URLs.
  5. Limit retention: raw logs are useful now, not six months from now.
  6. Sign webhooks or use a narrowly-scoped API token.

What you should not redact blindly

Over-redaction makes a log safe but useless. Diagnostics often need:

  • job and stage name;
  • package or service name;
  • exit code;
  • image/runtime version;
  • file or test path;
  • build/pipeline/job number;
  • the final stack-trace lines.

For example, npm ERR! code E401 without the registry and install command is weak context. The token from .npmrc must be replaced with [REDACTED_NPM_TOKEN], but the package manager and registry name should stay.

Where Exlogare fits

Exlogare works best not as a warehouse for every raw log, but as a service that receives a short sanitized failure context and posts an RCA where the team already works: in the MR/PR or next to the pipeline status. That reduces leakage risk and removes the manual step of reading the full log and summarizing it in chat.

Start with the ingest API docs or the generic curl integration. For data-handling expectations, see Security.

Related reading

Checklist

  • The log does not print full env/printenv.
  • CI masking is enabled for all tokens.
  • Only the failed-step tail is sent.
  • Redaction runs before the external API call.
  • Raw-log retention is limited.
  • The webhook/API call is authenticated.
  • RCA is stored separately from the raw log.