Skip to main content
FieldValue
CategoryCICD-SEC-7
PlatformGitLab CI
SeverityHIGH
Auto-fixFlags CI_DEBUG_TRACE: "true" (or CI_DEBUG_SERVICES), which makes the runner log every command and variable — including masked secrets.

What the check does

Debug tracing defeats variable masking and writes secrets into job logs that may be broadly readable. Remove it from committed pipeline config; enable it transiently and locally when you actually need to debug.

Why it matters

Findings for this rule fire only on .gitlab-ci.yml and .gitlab-ci/*.yml. It is the GitLab analog of the correspondingly-numbered GitHub Actions rule; see the rules overview for the full GitLab table.