debug_enabled.md

title	slug	url	rule	severity
CI Debug Enabled	debug_enabled	/rules/debug_enabled/	debug_enabled	note

Description

The workflow is configured to increase the verbosity of the runner. This can potentially expose sensitive information.

Remediation

GitHub Actions

In the workflow file, remove the ACTIONS_RUNNER_DEBUG or ACTIONS_STEP_DEBUG environment variables. This may also be enabled by setting a secret or variable, so the fact that poutine does not detect those variables, does not guarantee it is not enabled otherwise.

Recommended

on:
  push:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - id: 1
        run: echo Hello

Anti-Pattern

on:
  push:

env:
  ACTIONS_RUNNER_DEBUG: true

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - id: 1
        env:
          ACTIONS_STEP_DEBUG: true
        run: echo Hello

Gitlab CI

In the workflow file, remove the CI_DEBUG_TRACE or CI_DEBUG_SERVICES variable in the job definition or set to false.

Recommended

job_name:
  variables:
    CI_DEBUG_TRACE: "false" # Or, better, simply omit those variables as they default to `false` anyway.
    CI_DEBUG_SERVICES: "false"

Anti-Pattern

job_name:
  variables:
    CI_DEBUG_TRACE: "true"
    CI_DEBUG_SERVICES: "true"

Azure DevOps

In the pipeline file, remove the system.debug variable in the variables definition or set to false.

Recommended

variables:
  system.debug: 'false' # Or, better, simply omit this variable as they default to `false` anyway.

Anti-Pattern

variables:
  system.debug: 'true'

See Also

• https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging
• https://docs.gitlab.com/ee/ci/variables/index.html#enable-debug-logging
• https://docs.gitlab.com/ee/ci/variables/index.html#mask-a-cicd-variable
• https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemdebug