Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal


  • Give kudos
  • Received
  • Given


  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Secured variables shown in pipeline log

Using the `sftp-deploy` pipe from Atlassian I get my secured password "repository variable" printed out in my pipeline log. I thought those were meant to be hidden from the log?

Below is a copy of a log
$FTP_HOST set to ""
$FTP_USERNAME set to "user123"
$FTP_PASSWORD set to "ABCD12345"

Debug mode is on.

+ docker container run \
--volume=/opt/atlassian/pipelines/agent/build:/opt/atlassian/pipelines/agent/build \
--volume=/opt/atlassian/pipelines/agent/ssh:/opt/atlassian/pipelines/agent/ssh:ro \
--volume=/usr/local/bin/docker:/usr/local/bin/docker:ro \
--volume=/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes:/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes \
--volume=/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes/atlassian/sftp-deploy:/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes/atlassian/sftp-deploy \
--workdir=$(pwd) \
--label=org.bitbucket.pipelines.system=true \
--env=CI="$CI" \
--env=DOCKER_HOST="tcp://host.docker.internal:2375" \
--env=BITBUCKET_PIPE_SHARED_STORAGE_DIR="/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes" \
--env=BITBUCKET_PIPE_STORAGE_DIR="/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes/atlassian/sftp-deploy" \
--env=DEBUG="true" \
--env=LOCAL_PATH="dist/*" \
--env=REMOTE_PATH="/www" \
--env=SERVER="$FTP_HOST" \
--add-host="host.docker.internal:$BITBUCKET_DOCKER_HOST_INTERNAL" \
Unable to find image 'bitbucketpipelines/sftp-deploy:0.5.4' locally
0.5.4: Pulling from bitbucketpipelines/sftp-deploy
9123ac7c32f7: Pulling fs layer
d98928055083: Pulling fs layer
c41d89d43ec8: Pulling fs layer
16a0202e78db: Pulling fs layer
133df80cc15d: Pulling fs layer
16a0202e78db: Waiting
133df80cc15d: Waiting
c41d89d43ec8: Verifying Checksum
c41d89d43ec8: Download complete
d98928055083: Verifying Checksum
d98928055083: Download complete
9123ac7c32f7: Verifying Checksum
9123ac7c32f7: Download complete
16a0202e78db: Verifying Checksum
16a0202e78db: Download complete
9123ac7c32f7: Pull complete
133df80cc15d: Download complete
d98928055083: Pull complete
c41d89d43ec8: Pull complete
16a0202e78db: Pull complete
133df80cc15d: Pull complete
Digest: sha256:fe920ce524458a868f74ea49fc508351cadee964bc263ac172cce0abb1291815
Status: Downloaded newer image for bitbucketpipelines/sftp-deploy:0.5.4
INFO: Enabling debug mode.
+ [[ -z $FTP_PASSWORD ]]
+ info 'Using PASSWORD.'
+ echo -e '\e[36mINFO: Using PASSWORD.\e[0m'
+ setup_ssh_dir
+ INJECTED_SSH_CONFIG_DIR=/opt/atlassian/pipelines/agent/ssh
+ IDENTITY_FILE=/opt/atlassian/pipelines/agent/ssh/id_rsa_tmp
+ KNOWN_HOSTS_FILE=/opt/atlassian/pipelines/agent/ssh/known_hosts
+ mkdir -p /root/.ssh
+ touch /root/.ssh/authorized_keys
+ [[ -z $FTP_PASSWORD ]]
+ '[' '!' -f /opt/atlassian/pipelines/agent/ssh/known_hosts ']'
+ cat /opt/atlassian/pipelines/agent/ssh/known_hosts
+ '[' -f /root/.ssh/config ']'
+ [[ -z $FTP_PASSWORD ]]
+ chmod -R go-rwx /root/.ssh/
+ run_pipe
+ info 'Starting SFTP deployment to'
INFO: Starting SFTP deployment to
+ echo -e '\e[36mINFO: Starting SFTP deployment to\e[0m'
+ set +e
+ [[ -z $FTP_PASSWORD ]]
+ debug Executing echo '"mput' 'dist/*"' '|' sshpass -p ABCD12345 sftp -o PubkeyAuthentication=no -rp -v
+ [[ true == \t\r\u\e ]]
+ echo -e '\e[37mDEBUG: Executing echo "mput dist/*" | sshpass -p ABCD12345 sftp -o PubkeyAuthentication=no -rp -v\e[0m'
DEBUG: Executing echo "mput dist/*" | sshpass -p ABCD12345 sftp -o PubkeyAuthentication=no -rp -v
+ echo 'mput dist/*'
+ sshpass -p ABCD12345 sftp -o PubkeyAuthentication=no -rp -v
OpenSSH_7.9p1, OpenSSL 1.1.1d 10 Sep 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to [] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to as 'user123'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: MAC: <implicit> compression: none
debug1: kex: client->server cipher: MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:8sBBlU4Q4RqUzZO1J0RpAucj6/DicaJI1TjPDcRO22U
debug1: Host '' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:3
Warning: Permanently added the ECDSA host key for IP address '' to the list of known hosts.
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: Will attempt key: /root/.ssh/id_rsa
debug1: Will attempt key: /root/.ssh/id_dsa
debug1: Will attempt key: /root/.ssh/id_ecdsa
debug1: Will attempt key: /root/.ssh/id_ed25519
debug1: Will attempt key: /root/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
debug1: Authentication succeeded (password).
Authenticated to ([]:22).
debug1: channel 0: new [client-session]
debug1: Requesting
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype want_reply 0
debug1: Sending subsystem: sftp
Connected to
Changing to: /www
sftp> mput dist/*
Uploading dist/assets/ to /customers/4/6/6/user123/httpd.www/assets
Entering dist/assets/
Uploading dist/favicon.png to /customers/4/6/6/user123/httpd.www/favicon.png
Uploading dist/index.html to /customers/4/6/6/user123/httpd.www/index.html
Uploading dist/robots.txt to /customers/4/6/6/user123/httpd.www/robots.txt
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 2 clearing O_NONBLOCK
Transferred: sent 90280, received 4216 bytes, in 3.3 seconds
Bytes per second: sent 27264.3, received 1273.2
debug1: Exit status 0
+ set -e
+ [[ 0 == \0 ]]
✔ Deployment finished.
+ success 'Deployment finished.'
+ echo -e '\e[32m✔ Deployment finished.\e[0m'
+ exit 0

 Is this a bug or am I doing something wrong?

1 answer

@Martin Bohgard looks like a bug.

Please, check if it is still valid and PASSWORD is secured indeed  for latest versions of the pipe.

I  have also a question: does your step deployment and use repository variables, not deployments?

Please, check that you have secured all the sensitive variables in repo variables and in deployments section.

In our turn we will investigate the issue.

Regards, Galyna

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Bitbucket Pipelines

What We Learned When We Researched Open Source Vulnerabilities in 7 Popular Coding Languages

...hey are a part of us, shaping how we interact with the world around us. The same holds true for programming languages when we think about how different kinds of vulnerabilities raise their heads in t...

1,237 views 0 3
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you