Vercel’s build-log env var redaction shipped on July 9, 2026, and the headline needs immediate precision: build logs now redact the values of environment variables marked Sensitive whose values are 32 characters or longer. That is the whole gate. It is not blanket redaction of every environment variable, and teams that never marked their secrets Sensitive get nothing from it.
The stakes are real because the leak class is real. Build logs get shared in support tickets, pasted into Slack threads, and read by everyone with project access — and any build tool that echoes its environment has historically printed secrets into them in plaintext. Vercel closing that surface matters, and the timing is not random: it lands less than three months after the company disclosed an April 2026 security incident in which an attacker bulk-extracted the non-sensitive tier of customer environment variables.
This guide covers exactly what changed and the precise conditions that trigger redaction, the April incident that explains the urgency, how Vercel’s approach compares to GitHub Actions and GitLab CI masking, an honest map of the leak vectors this feature does not touch — each with its own mitigation — and the same-day AI SDK release that makes July 9 read as a deliberate hardening push rather than a one-off patch.
- 01The gate is precise: Sensitive-type plus 32 characters.Redaction fires only for env vars created as Sensitive whose values are 32 characters or longer. Two system vars — VERCEL_AUTOMATION_BYPASS_SECRET and VERCEL_OIDC_TOKEN — are redacted at any length.
- 02The Sensitive type is old; the build-log masking is new.Sensitive env vars (encrypted, non-readable after creation) predate this release. What changed July 9 is that build logs now honor the type, with an Activity Log event recording each redaction — key, project, and deployment, never the value.
- 03The April 2026 breach is the why-now.Vercel disclosed an April 19-24 incident in which stolen third-party AI-tool credentials led to bulk extraction of non-sensitive env vars. Sensitive-type values were confirmed not exposed — this feature extends the surviving tier’s protection.
- 04Four leak vectors stay open, each needing its own fix.Runtime logs, NEXT_PUBLIC_ client bundling, repo-committed secrets, and (our analysis) malicious build plugins are all untouched by log masking. The honest-scope table below maps a mitigation for each.
- 05Same changelog day, Vercel hardened the agentic stack.AI SDK 7.0.19 shipped July 9 with fingerprintTools and detectToolDrift against MCP rug-pull attacks, plus a prototype-pollution fix — a coordinated security theme, not a coincidence.
01 — What ShippedA narrow fix for a noisy leak class.
The changelog entry Vercel published on July 9, 2026 is titled “Build logs now redact Sensitive Environment Variable values” — and the title is doing precise work. When a build step prints a value that belongs to a Sensitive-type environment variable and that value is 32 characters or longer, the log output masks it. When either condition fails — the var was never marked Sensitive, or the value is shorter than 32 characters — the value prints exactly as it always did.
Two system-issued credentials are the exception: VERCEL_AUTOMATION_BYPASS_SECRET and VERCEL_OIDC_TOKEN are redacted from build logs regardless of length. Every redaction also writes an Activity Log event recording the environment variable key, the project, and the deployment — but never the value itself — so security teams get an audit trail of what was masked and where.
Sensitive-type values
Redaction fires only when both conditions hold: the var is Sensitive-type AND the value is 32 characters or longer. Shorter values print unmasked even when marked Sensitive.
System credentials
VERCEL_AUTOMATION_BYPASS_SECRET and VERCEL_OIDC_TOKEN are masked in build logs at any length — the only unconditional redactions in the feature.
Before the changelog
A community report of redaction behavior appeared July 4 — five days before the July 9 changelog entry — suggesting a phased rollout ahead of the formal announcement.
"The Build Logs view also indicates when redaction happened, giving teams visibility into why output was masked without ever exposing the underlying value."— Vercel Changelog, July 9, 2026
That in-log indicator matters for debugging: a masked value that looked like a broken build step would generate support tickets; an explicit “this was redacted” marker turns the masking into a feature engineers can see working. It is a small design decision, but it is the difference between a security control teams trust and one they try to disable.
02 — The MechanicsThe Sensitive type is old; the log masking is what’s new.
It is worth separating two things coverage tends to blur. The Sensitive environment-variable type is an established Vercel feature — its docs page was last updated June 3, 2026, weeks before this release. Sensitive vars are stored in a non-readable, encrypted format from the moment they are created, can only exist in the Production and Preview environments (not Development), and lock their key after creation — you can update the value, with the current value hidden in the UI, but you cannot edit or read back what is stored.
What is new as of July 9 is that build logs now honor the type. Before this change, a Sensitive var was encrypted at rest and unreadable in the dashboard — and could still be printed in plaintext by any build script that echoed it. That gap between storage-level protection and log-level exposure is exactly what the changelog entry closes.
Two operational levers make the gate practical at team scale. First, team owners can enable an org-wide Enforce Sensitive Environment Variables policy (under Settings, then Security and Privacy) that forces all newly created Production and Preview vars to Sensitive-type by default. Second, CI-driven provisioning can guarantee the type programmatically: the REST endpoint for creating project env vars accepts a "type": "sensitive" field, as does the @vercel/sdk TypeScript client — so infrastructure-as-code pipelines never depend on a human remembering a toggle.
One rollout wrinkle deserves a clearly labeled caveat. On July 4 — five days before the changelog entry — a Vercel Community user reported that a variable they had explicitly marked non-sensitive was still being redacted in build logs, and asked how to opt out; no staff reply was recorded when we retrieved the thread. This is a single anecdotal report, not confirmed platform behavior. Read charitably, it suggests the rollout began before the announcement and that org-level enforcement policies may interact with individual variable settings in ways the docs do not yet spell out.
03 — Why NowThe April breach made the tier gap impossible to ignore.
Vercel disclosed a security incident spanning April 19 to 24, 2026. Per the company’s own knowledge-base bulletin, an attacker compromised a Vercel employee’s credentials for Context.ai — a third-party AI tool — via infostealer malware, used those credentials to take over the employee’s Google Workspace account (bypassing MFA through SSO), reached Vercel’s internal systems, and bulk-extracted non-sensitive environment variables — the plaintext-decryptable type — from a subset of customer projects.
The detail that matters for this story is what the attacker could not read.
Non-sensitive env vars
Extracted from a subset of customer projects during the April incident. Vercel’s guidance was blunt: treat these values as potentially exposed and rotate them as priority.
Sensitive env vars survived
Confirmed NOT exposed in the breach. Because sensitive-type values are encrypted and never returned in plaintext, the attacker could not read them even with internal access.
Press coverage — Trend Micro’s research write-up, corroborated by multiple security blogs — attributes the attack to the ShinyHunters group and reports the stolen data being offered for $2 million on underground forums. Those attribution and ransom details are press-reported, not confirmed in Vercel’s own bulletin, so treat them accordingly.
The product response followed a straight line. Around May 2026, newly created environment variables began defaulting to Sensitive-type, and the org-wide enforcement policy gave teams a way to lock that default in. The July 9 build-log redaction is the next step on the same line: the breach proved the encrypted tier was the one that held, so Vercel is systematically closing the adjacent surfaces — dashboard reads, API reads, and now build-log echoes — where that tier’s values could still escape as plaintext. Read as a sequence, April to May to July, this is a platform reorganizing its environment-variable model around the assumption that the non-encrypted tier should not exist.
04 — Platform ComparisonHow the gate compares to GitHub and GitLab masking.
Build-log secret masking is not a new idea — GitHub Actions and GitLab CI have shipped versions of it for years. What is useful, now that Vercel has joined, is a mechanics-level comparison, because the three platforms draw the trigger conditions and the failure modes in genuinely different places. No prior comparison covers Vercel because the feature is days old.
| Platform | Trigger and scope | Minimum length | Default state | Known failure modes |
|---|---|---|---|---|
| Vercel build logs | Opt-in by type: the variable must be created as Sensitive, and its value must be 32 characters or longer. Two system vars are redacted at any length. | 32 characters | Off unless the var is Sensitive-type. A team-wide policy can force new Production/Preview vars to Sensitive by default. | Vars never marked Sensitive get no masking; values under 32 characters pass through. One community report of over-redaction during rollout remains anecdotal and unresolved. |
| GitHub Actions | Automatic for registered repository, organization, and environment secrets actually used in a job — masking happens at the runner. Anything else needs an explicit ::add-mask:: command. | No documented floor | On for registered secrets used in the job. | Exact-string matching breaks on structured data (JSON, XML, YAML) used as secrets; transformed values (base64, URL-encoded) must be registered separately or they print in plaintext. |
| GitLab CI | Opt-in per variable via the Masked toggle. Masking is separate from the Protected toggle, which restricts a variable to protected branches and tags. | 8 characters, single line, no spaces; restricted character set when variable expansion is enabled | Off — both toggles are unchecked on new variables. | A variable needs both Masked and Protected for full coverage, and GitLab’s own docs state masking is not a guaranteed way to stop malicious users from accessing values. |
Two contrasts stand out. First, the length floors: Vercel’s 32 characters is four times GitLab’s 8-character minimum, while GitHub documents no floor at all. A higher floor means fewer false-positive redactions of ordinary config strings, at the cost of leaving short secrets — a 20-character API key, say — unmasked even when marked Sensitive. Second, the failure modes are shared more than the mechanics: GitHub’s docs warn that “structured data can cause secret redaction within logs to fail, because redaction largely relies on finding an exact match for the specific secret value” — the same exact-string-matching weakness applies to any log-masking approach, Vercel’s included.
GitLab’s documentation is the most candid of the three about the category’s ceiling: it states outright that “masking a CI/CD variable is not a guaranteed way to prevent malicious users from accessing variable values”. That framing is the right lens for Vercel’s feature too — log masking is a valuable seatbelt, not a vault. Our secrets-management and key-rotation reference covers the vault layer: scoped credentials, OIDC federation, and zero-downtime rotation.
05 — Honest ScopeWhat the redaction does not cover.
A lazy reading of the headline — “Vercel redacts secrets in build logs” — implies protection this feature does not provide. The matrix below maps the major secret-leak vectors on a Vercel deployment against what the July 9 change actually closes. The mitigations in the “not closed” rows are our engineering guidance, not Vercel claims — the changelog itself makes no promises beyond build-log output.
| Leak vector | Status after July 9 | Mitigation |
|---|---|---|
| Closed by the July 9 redaction | ||
| Sensitive-type values echoed into build logs | Closed — masked when the value is 32+ characters | Mark secrets as Sensitive at creation; review the Activity Log events the redaction writes. |
| VERCEL_AUTOMATION_BYPASS_SECRET / VERCEL_OIDC_TOKEN in logs | Closed — always redacted, at any length | Nothing to configure; these two system vars are masked unconditionally. |
| Not closed — needs its own control | ||
| Non-Sensitive vars, or Sensitive values under 32 characters | Not closed — the gate does not fire | Convert secrets to Sensitive-type and enable the team-wide enforcement policy; prefer long, high-entropy values. |
| Runtime and function logs | Not closed — the feature scopes to build logs only | Redact at the application layer before logging; never log request bodies or headers that can carry credentials. |
| NEXT_PUBLIC_ values in the client bundle | Not closed — structurally out of reach | Audit every NEXT_PUBLIC_ var; anything that must stay secret moves server-side behind a route handler. |
| Secrets committed to the repository | Not closed — the value leaks before any build runs | Pre-commit secret scanning plus rotation on every confirmed exposure; treat git history as permanently public. |
| Malicious or compromised build plugins (our analysis) | Not closed — exfiltration in memory never touches the log | Vet and pin build-time dependencies; restrict install scripts; monitor outbound network activity from CI. |
Each open vector deserves a sentence of specifics. Runtime logs: the feature is scoped to build logs, so a function that logs a connection string at request time prints it in full — application-layer redaction is the control, and the patterns in our guide to redaction for AI-generated output transfer directly to server logs.
NEXT_PUBLIC_ exposure is the structurally different one. Next.js inlines any NEXT_PUBLIC_ variable’s value into the client-side JavaScript bundle at build time — the string is permanently baked into files served to every visitor’s browser, discoverable in dev tools regardless of what any log shows. No log-masking feature can touch it, because the leak is the product artifact itself.
Committed secrets leak before Vercel ever sees a build: a credential pushed to git history is exposed to everyone with repo access, forever, and rotation is the only real remedy. And malicious build plugins — to be explicit, this one is our reasoned inference from how the feature is scoped, not a Vercel-stated limitation — sit outside the protection by design: redaction operates on what gets printed to the log stream, so a compromised build-time dependency that reads a decrypted value from the environment and exfiltrates it over the network never triggers the masking at all. Supply-chain controls like the ones in npm 12’s install-script lockdown are the relevant defense there.
06 — Same DayJuly 9’s other release: tool-drift defenses in the AI SDK.
The build-log redaction did not ship alone. The same changelog day — July 9, 2026, 18:07 UTC on the GitHub releases page — Vercel published ai@7.0.19 of the Vercel AI SDK, introducing fingerprintTools and detectToolDrift: two functions that defend against MCP “rug pull” attacks, where a remote MCP server silently changes a tool’s description or input schema after an agent has already trusted it.
The mechanics are a checksum for trust: fingerprintTools pins a tool set’s server-controlled fields — description, input schema, title — at the moment of trust, and detectToolDrift diffs later fetches against that fingerprint to catch injected descriptions or widened schemas before the tools reach the model. The release notes are explicit about the division of labor: “Baseline storage and the drift response remain the app’s responsibility.” The same release also patched a prototype-pollution vulnerability in tool-approval resolution, so tool names that collide with inherited JavaScript properties like constructor resolve correctly.
We unpack the fingerprinting API, the threat model, and the migration path in our companion piece on AI SDK 7.0.19’s MCP tool-drift defenses. The point for this post is the pattern: one platform, one day, two releases that both assume the inside of the pipeline is hostile — build output that might echo secrets, and MCP servers that might mutate after trust. That is a security posture shifting from perimeter to pipeline, and given that the April incident began with a compromised third-party AI tool, hardening the agentic stack alongside the build stack reads as one lesson applied twice.
07 — PlaybookThe rollout moves worth making this week.
The feature is free, already live, and requires no code change — but it only protects teams whose variables are actually Sensitive-type. Here is where we’d focus, in order.
Audit variable types, then enforce
Inventory which Production and Preview vars are Sensitive-type today — anything storing a credential that isn’t gets zero build-log protection. Then enable the org-wide Enforce Sensitive Environment Variables policy so new vars default to the protected tier.
Provision sensitive-type via API
If env vars are created by pipelines, pass the sensitive type field on the project-env REST endpoint or via the @vercel/sdk client, so the guarantee is code-enforced rather than toggle-dependent.
Audit NEXT_PUBLIC_ usage
Log masking cannot help with values baked into the client bundle. Review every NEXT_PUBLIC_ var; anything that must stay secret moves server-side behind a route handler or server action.
Rotate and keep scanning
If any of your projects held non-sensitive vars through April 2026, Vercel’s guidance was to treat them as potentially exposed and rotate. Log redaction does not replace secret scanning or rotation discipline — it sits alongside them.
Looking forward, our expectation — and it is a projection, not an announcement — is that the 32-character floor and the opt-in type are the parts most likely to evolve. Vercel has been walking a straight line since April: sensitive-by-default creation, org enforcement policies, and now log masking all push toward a world where the plaintext-readable tier disappears entirely. Teams that treat Sensitive-type as the only tier now will find each of those steps a no-op; teams that don’t will keep inheriting migration work each time the default tightens.
If you want a second set of senior eyes on this — a secrets-handling audit across your Vercel projects, or a broader hardening pass on an AI-heavy pipeline — our web development team runs exactly these reviews, and our AI transformation engagements cover the agentic-stack side, from MCP trust boundaries to tool-drift monitoring.
08 — ConclusionA good fix, honestly sized.
Build-log redaction is a seatbelt, not a vault — and it only buckles for Sensitive-type variables.
The July 9 change closes a real and embarrassing leak class: secrets printed into build logs that get shared, pasted, and read far beyond the people who should hold them. The mechanics are precise — Sensitive-type variables, values of 32 characters or longer, two system vars always masked — and the precision is the point. Teams that know the exact gate can rely on it; teams that assume blanket redaction will be protected by a feature that, for their unmarked variables, never fires.
The context makes it more than a changelog footnote. April’s breach demonstrated, at customer expense, that Vercel’s encrypted tier held while the plaintext tier did not. Everything since — sensitive-by-default creation, org-wide enforcement, and now build-log masking — is the platform converging on the tier that survived. The same day’s AI SDK tool-drift defenses extend the identical instinct to the agentic stack: assume the pipeline’s inputs can turn hostile after you trusted them.
The work left is yours: mark the variables, enforce the policy, audit the NEXT_PUBLIC_ surface, keep rotating. Log redaction is the platform doing its part of a shared-responsibility split — the four vectors it cannot touch are the reminder that the other part still belongs to you.