| Field | Value |
|---|---|
| Category | CICD-SEC-7 |
| Platform | GitLab CI |
| Severity | HIGH |
| Auto-fix | Flags CI_DEBUG_TRACE: "true" (or CI_DEBUG_SERVICES), which makes the runner log every command and variable — including masked secrets. |
What the check does
Debug tracing defeats variable masking and writes secrets into job logs that may be broadly readable. Remove it from committed pipeline config; enable it transiently and locally when you actually need to debug.Why it matters
Findings for this rule fire only on.gitlab-ci.yml and .gitlab-ci/*.yml.
It is the GitLab analog of the correspondingly-numbered GitHub Actions rule; see
the rules overview for the full
GitLab table.