CI log secrets: 10 places where teams usually forget them
Docker login, npm verbose logs, Terraform debug, kubectl, echoing variables, and test artifacts: where secrets commonly leak into CI logs and how to stop it.
Most CI-log leaks do not look like a dramatic security incident. They usually start with a line someone added “for five minutes while debugging”: echo $TOKEN, set -x, terraform plan -debug, or kubectl describe secret.
This is a checklist for junior and mid-level engineers: where to look before you send logs to an external analyzer, store them as artifacts, or paste them into chat.
What counts as a secret
A secret is not just a password. In CI logs, watch for:
- access and refresh tokens;
- JWTs;
- private keys;
- cloud credentials;
- URLs with login/password;
- kubeconfig;
.npmrc,.pypirc,.docker/config.json;- test data with PII.
10 places secrets commonly appear
1. docker login. --password and debug output can leave credentials in the command line. Prefer --password-stdin.
2. npm/yarn/pnpm verbose logs. Auth failures may print registry URLs and .npmrc paths. Redact the token, keep the registry name.
3. Terraform debug. TF_LOG=DEBUG is useful but may show provider config, headers, and variable values.
4. kubectl and Helm. kubectl describe secret, Helm values, and rendered manifests can expose sensitive fields.
5. set -x in shell. Bash prints commands after variable expansion. curl -H "Authorization: Bearer $TOKEN" becomes a token in your log.
6. echo for variable checks. “Let me verify the variable arrived” is a classic leak. Print length or last four characters, not the value.
7. Test database dumps. Test fixtures can still contain emails, phone numbers, customer names, or internal IDs.
8. Crash reports. Some SDKs include request headers and payloads in stack traces.
9. Build args. Docker build args and build-tool output may print values if they are part of the command.
10. Artifacts. The log is clean, but artifact.zip contains .env, report.html, or junit.xml with PII.
How to check before integrating
Start with a simple scan of recent failures:
grep -Ei '(token|secret|password|authorization|bearer|aws_|private key|kubeconfig)' failed-job.log
This is not a full security scanner, but it is a good smoke test. For a production flow, run redaction before any external API call.
Where Exlogare fits
Exlogare is useful after the log has basic hygiene: you send a safe failure context, not every build artifact. The team receives an RCA in the MR/PR: what failed, the likely cause, and what to check first.
For GitLab, start with GitLab CI ingest. For GitHub Actions, use the GitHub Actions guide. For data handling expectations, see Security.
Related reading
- How to send CI logs to an external service without leaking secrets
- CI artifacts and logs: what to keep, and what not to upload to S3 as-is
Checklist
set -xis disabled around secrets.docker loginuses--password-stdin.- Terraform/kubectl debug is enabled only when needed.
- Raw environment values are not printed.
- Artifacts are reviewed like logs.
- Redaction runs before sending logs out.