We'll protect your secrets with the new sensitive inputs

We're rolling out support for open source projects on Bitrise and we've done a full security revision before this so that you can be sure that your secrets lie safe with us. We've introduced multiple security-related improvements, the last of which is a new type of input called sensitive.

We're rolling out support for open source projects on Bitrise and we've done a full security revision before this so that you can be sure that your secrets lie safe with us. We've introduced multiple security-related improvements, the last of which is a new type of input called sensitive.

Your secrets are not shown in the bitrise.yml and they are stored encrypted. In addition, you can prevent exposing secrets on the UI by making them protected.

Note that anyone still might be able to do a workaround and log the value of secrets with a pull request, thus we advise not to expose secrets in PRs. For this reason, Expose for Pull Requests for secrets are set to off by default.

Apart from the previously listed security features, from now on, step inputs which store secret values (like passwords, API tokens, an SSH key, etc.) can be marked as sensitive. Bitrise then will redact the values defined as secret environment variables from the build log to keep them secret.

sensitive enviromental variables

These step input values need to be defined as secret environment variables and cannot be set directly in the input fields (so if you can't find the Insert variable button in the top right, you've bumped into a sensitive input). To add them to an input field you can add them in advance or add them on the go. Click either Enter value or Select secret variable to get to the popup where you can add or choose one.

create new secret environment variable

Add your secrets in advance

Add all (or some) of them in advance by going to your apps Secrets tab and click Add new.

add a secret enviroment variable

You can add any number of secrets here. Don't forget to click Save!

Add a secret on the go

If you click either Enter value or Select secret variable without having Secrets predefined, you can create them in the popup window.

After setting a Key and a Value, Add new will create the Secret and add it to the list on the Secrets tab and insert it into the input field.

insert secret enviroment variable

Stay tuned for the open source project support to land on Bitrise!

Happy and safe building!

No items found.
The Mobile DevOps Newsletter

Explore more topics

App Development

Learn how to optimize your mobile app deployment processes for iOS, Android, Flutter, ReactNative, and more

Bitrise & Community

Check out the latest from Bitrise and the community. Learn about the upcoming mobile events, employee spotlights, women in tech, and more

Mobile App Releases

Learn how to release faster, better apps on the App Store, Google Play Store, Huawei AppGallery, and other app stores

Mobile DevOps

Learn Mobile DevOps best practices such as DevOps for iOS, Android, and industry-specific DevOps tips for mobile engineers

Mobile Testing & Security

Learn how to optimize mobile testing and security — from automated security checks to robust mobile testing and more.

Product Updates

Check out the latest product updates from Bitrise — Build Insights updates, product news, and more.

The Mobile DevOps Newsletter

Join 1000s of your peers. Sign up to receive Mobile DevOps tips, news, and best practice guides once every two weeks.