Any sensitive information such as passwords, IDs, and API tokens are exposed in the build logs/bitrise.yml of your public apps, hence visible to anyone who has the build URL of the app. You can hide these inputs with secret environment variables (env vars) so that those are not available in build logs/bitrise.yml.
To make the sensitive input fields obvious in our Workflow Editor, we’ve marked them with a yellow
SENSITIVE label in steps holding sensitive input fields. These inputs must be defined with the help of secret env vars and not with env vars!
You can hide any input of your choice with secret env vars even if the field is not labeled
SENSITIVE but you must use secret env vars for fields which are by default marked as
There are two ways to define secret env vars:
- directly in the steps
- in the Secrets tab of your Workflow Editor and select the secret env var in a step input when needed.
Head over to Secrets and Env Vars to find out the difference between
Env Vars and
Set a sensitive input in a step ⚓
- Click the
Select Secret Variablebutton below the input field which is marked with the yellow
Insert variablepop-up, browse the
Choose Secret Env Varlist or create a new secret env var (add the key and the value) in the
Create New Secret Env Varsection.
Expose for pull request?toggle under the
Valuefield is by default disabled and cannot be enabled with public apps to protect the secrets of your public app in the case of pull requests.
- If you’ve entered a new env var, hit
The new secret env var will be available in the
Choose Secret Env Var list or under the
Secrets tab for your app for future reference/use.
The selected or newly created secret env var will get automatically saved into the input field of the step.
You can always modify the secret env var registered for a
SENSITIVE input field if you click the
Select secret variable button or head over to the
Secrets tab where you get a full list of your secret env vars.
- Do not add private information in the
Env Vartab! Our
Secretstab is designed to hold encrypted inputs as secret env vars which will not be exposed in
bitrise.ymlor in public app PRs.
- Note that secret env vars can only hide sensitive information in the build logs of your public app. If you attach any other file to your build log which contains sensitive information but it is not encrypted, then sensitive information will be visible to anyone who has the build URL!
Environment Variables (Env Vars) consist of a key and a value, as well as optional attributes. They can be defined on the level of apps, Workflows or Steps.
To understand Bitrise in depth, there are a few key concepts that must be kept in mind. These are immutable and crucial to the way we do things.
Secrets can be accessed and used in a similar way as app Env Vars, the main difference is that secrets are not stored as part of the build configuration.