Ensure Set Variable Is Not Marked As a Secret

Using non-secret variables for set variable tasks in Azure Pipelines is recommended because:

  • Non-secret variables are not encrypted or masked out, which makes them easier to debug and audit.
  • Non-secret variables are automatically decrypted into environment variables for scripts. You do not need to explicitly map them using the task.setvariable logging command.
  • Non-secret variables are available for expressions and template parameters. You do not need to pass them as arguments to templates.
    Therefore, this rule suggests using non-secret variables unless they contain sensitive information like passwords, IDs, and other identifying data that you would want to have protected in a pipeline.

Risk Level: medium
Platform: Azure Pipelines
Spectral Rule ID: AZRPPL003


In jobs.steps.powershell or jobs.steps.bash delete issecret=true command

bash: |
  echo "##vso[task.setvariable variable=normal_variable;]something"
- echo "##vso[task.setvariable variable=secret_variable;issecret=true]super-secret"
powershell: |
  Write-Host "##vso[task.setvariable variable=normal_variable;]something"
- Write-Host "##vso[task.setvariable variable=secret_variable;issecret=true]super-secret"

Read more: