> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-7 (GitLab) — Debug tracing enabled

> Debug tracing defeats variable masking and writes secrets into job logs that may be broadly readable. Remove it from committed pipeline config; enable it transiently and locally when you actually need to debug.

| Field    | Value                                                                                                                                      |
| -------- | ------------------------------------------------------------------------------------------------------------------------------------------ |
| Category | `CICD-SEC-7`                                                                                                                               |
| Platform | GitLab CI                                                                                                                                  |
| Severity | **HIGH**                                                                                                                                   |
| Auto-fix | Flags `CI_DEBUG_TRACE: "true"` (or `CI_DEBUG_SERVICES`), which makes the runner log every command and variable — including masked secrets. |

## What the check does

Debug tracing defeats variable masking and writes secrets into job logs that may be broadly readable. Remove it from committed pipeline config; enable it transiently and locally when you actually need to debug.

## Why it matters

Findings for this rule fire only on `.gitlab-ci.yml` and `.gitlab-ci/*.yml`.
It is the GitLab analog of the correspondingly-numbered GitHub Actions rule; see
the [rules overview](/rules/overview#gitlab-ci-workflow-checks) for the full
GitLab table.
