Mask Text Matching Secure Variable Values

Hi Guys,

  • Update: Any text in the action output which matches sensitive or password variables available to the build is now masked when written to the build log. This can be switched off using the server property “Logging.MaskTextMatchingSecureVariableValues”

Logging.MaskTextMatchingSecureVariableValues = True

Variables are configured as seen in this screenshot:
(MAC_BUILD_SERVER_PASS has “Sensitive” checked)

But the output does includes the sensitive password in plain text:

Is this because I’m expanding the sensitive variable inside a non-sensitive variable and the latter is used for the script execution?


Hi Arik,

The SSH Script action handles command output differently from other actions which run a command process. The new action output masking is applied only to the output of an external processes run by Continua CI. We’ll update the action to ensure that its output is also processed.

Note also however that expressions in Text variables are expanded on build start. As they have already been expanded and the variable value replaced when the action is run, we no longer have details of any variables that they are made up of. Therefore, the normal log masking that happens with command lines written to the log directly by Continua will not happen for these variables. We recommend that you change it to an Expression variable that is expanded when used.

1 Like

Thanks Dave!

OK, made a small change and instead of expanding the sensitive variable inside a regular variable -
I am now expanding the sensitive variable directly in the action itself.

The thing is - the action is still the same SSH Script action
so for now the password is still showing in the log for the reason you have given.
We’ll wait for you to update the action to resolve this.
Thanks again!

We have fixed sensitive variable mapping in v1.9.2.902.

1 Like