Sanitise secrets from logs or debugging

[AleksandarCole]

Is your improvement proposal related to a problem? Please describe.

Currently, when user enables debugging mode in their build scripts for troubleshooting purposes, all variable values including secrets are displayed in plain text in the build logs. This makes debugging more challenging as they often need to disable debug mode when working with sensitive values, which reduces their ability to effectively troubleshoot issues in their build pipeline

Describe the solution you'd like

I would like the build system to automatically mask/redact secrets in the output logs even when shell debugging is enabled. The system should detect when a value matches a configured secret and replace it with asterisks or a placeholder like [MASKED] in all log outputs. This would allow us to use full debugging capabilities while maintaining clean and safe build logs.
Secrets should be sanitised in UI in job logs too.

Describe alternatives you've considered

• Manually wrapping each secret usage in the scripts to temporarily disable debugging
• Using separate scripts without debugging for production builds
• Post-processing logs to remove secrets before storage
• Creating custom logging functions that filter out sensitive values

Additional context

No response