GitLab CICD Variable unable to mask?


i’ve just created a secret for a Azure App registration and wanted to enter the secret in the CICD Variables to run my deployments. So far so good but i was unable to mask the variable. I guess this has something to do with the special characters like “~” in the secret. Is this something which will get fixed or maybe other question: Is it a critical security issue to leave the secret unmasked?

Thanks in advance!

Hey rwiglenda.

You are correct, that the ~ character is preventing it from being masked.
You can view the Requirements for Masking Variables here. (Addon to that, here is the base64 alphabet outlined by RFC4648)

It is not a critical security issue. (most of our projects on our privately hosted instance don’t use Masked variables).

Since it isn’t masked, you may want to be more cautious in your pipelines to prevent it from being printed to the log output.

I would recommend potentially considering changing your project’s visibility to Private (Project > Settings > General > Visibility, project features, permissions)
or change the privacy of the Repository access to Only Project Members (in the same section as the private option). These will only allow accepted project members to view the pipeline logs, which will reduce the exposure if the secret is accidentally printed.