Sensitive input in public apps

Any sensitive information such as passwords, IDs, and API tokens are exposed in the build logs/bitrise.yml of your public apps, hence visible to anyone who has the build URL of the app. You can hide these inputs with secret Environment Variables (Env Vars) so that those are not available in build logs/bitrise.yml. To make the sensitive input fields obvious in our Workflow Editor, we’ve marked them with a yellow SENSITIVE label in Steps holding sensitive input fields. These inputs must be defined with the help of secret Env Vars and not with Env Vars!

You can hide any input of your choice with secret Env Vars even if the field is not labeled SENSITIVE but you must use secret Env Vars for fields which are by default marked as SENSITIVE.

Screenshot

There are two ways to define secret Env Vars:

Directly in the steps.
In the Secrets tab of your Workflow Editor and select the secret Env Var in a step input when needed.

Head over to Secrets and Env Vars to find out the difference between Env Vars and Secrets!

Set a sensitive input in a step ⚓

Click the Select Secret Variable button below the input field which is marked with the yellow SENSITIVE label.
In the Insert variable pop-up, browse the Choose Secret Env Var list or create a new secret env var (add the key and the value) in the Create New Secret Env Var section.

The Expose for pull request? toggle under the Value field is by default disabled and cannot be enabled with public apps to protect the secrets of your public app in the case of pull requests.
If you’ve entered a new Env Var, hit Add new.

The new secret Env Var will be available in the Choose Secret Env Var list or under the Secrets tab for your app for future reference/use.

The selected or newly created secret env var will get automatically saved into the input field of the step.

You can always modify the secret Env Var registered for a SENSITIVE input field if you click the Select secret variable button or head over to the Secrets tab where you get a full list of your secret env vars.

Select secret variable

Note that you cannot modify the input manually in the input field marked with the SENSITIVE label! Instead, click the Select secret variable to replace the existing input with another secret Env Var from the list or to create a new one in the Insert variable pop-up.

Do NOT ADD PRIVATE INFORMATION in the Env Var tab! Our Secrets tab is designed to hold encrypted inputs as secret Env Vars which will not be exposed in bitrise.yml or in public app PRs.
Note that secret Env Vars can only hide sensitive information in the build logs of your public app. If you attach any other file to your build log which contains sensitive information but it is not encrypted, then sensitive information will be visible to anyone who has the build URL!

To understand Bitrise in depth, there are a few key concepts that must be kept in mind. These are immutable and crucial to the way we do things.

Secrets can be accessed and used in a similar way as app Env Vars, the main difference is that secrets are not stored as part of the build configuration.

Environment Variables (Env Vars) consist of a key and a value, as well as optional attributes. They can be defined on the level of apps, Workflows or Steps.

All Bitrise builds have a build number. The first build of your app is, by default, number 1, and the build number gets incremented with each build. You can also...