Enhanced Gradle Secret Redaction in Build Cache Analytics

Changelog Build Cache
1

Description

Enhanced Secret Redaction: Now Includes Gradle Invocation Commands – Security is at the core of Bitrise. Our build cache analytics have always protected your secrets, and we’re making that coverage even more robust.

auth-sha-img
auth-sha-img2368×430 98.3 KB

Highlights:

  • Expanded Redaction Coverage: We have always redacted secrets in environment variables, Gradle properties, and Bazel options for all build cache-enabled invocations. Now, we’re extending this to Gradle invocation commands as well.
  • Why This Matters: While it’s uncommon for secrets to appear directly in Gradle command lines, some plugins do allow sensitive values as CLI parameters. These will now be automatically detected and redacted.
  • How Redaction Works: Sensitive values are replaced with unique, seeded partial SHA256 hashes—meaning you can still compare invocation changes (via the Compare page) and spot performance regressions triggered by secret changes, all while keeping those values confidential.
  • Comprehensive Detection: Secrets are sourced both from your Bitrise workflow definitions and from additional regex matches, maximizing security coverage.
  • Heads Up for Configuration: If you’ve saved task paths or common terms (e.g., app) as secrets in Bitrise, those too will be redacted, which might obscure your Gradle commands. Review your saved secrets to avoid this and only store truly sensitive data as secrets.
  • Effective Performance Regression Detection: Because redacted secrets are consistently replaced with the same unique hash, the invocation compare feature remains powerful—you can quickly see if differences in secret values contributed to build or performance regressions between invocations, without ever exposing what those secrets are. This balances robust analytics with rigorous data protection.

Bottom line: Your secrets have always been protected in build cache analytics—now with added coverage for rare but possible sensitive values in Gradle command lines, you get both end-to-end security and the ability to safely analyze and compare builds for troubleshooting and optimization.