DevelopmentNew Release12 min readPublished July 11, 2026

Sensitive-type vars only · 32-char floor · build logs, not runtime

Vercel Now Redacts Secrets in Build Logs: What It Fixes

On July 9, 2026, Vercel started redacting build-log output for environment variables marked Sensitive whose values are 32 characters or longer — a precise gate, not blanket masking of every variable. It closes the “leaked in build logs” class while leaving runtime logs, NEXT_PUBLIC_ bundling, and committed secrets to other controls.

DA
Digital Applied Team
Senior strategists · Published Jul 11, 2026
PublishedJuly 11, 2026
Read time12 min
SourcesVercel changelog + docs
Redaction floor
32ch
Sensitive-type values only
Always redacted
2
system vars, any length
Changelog entry
Jul 9
2026 · rollout observed earlier
GitLab’s masking floor
8ch
for comparison — 4x lower

Vercel’s build-log env var redaction shipped on July 9, 2026, and the headline needs immediate precision: build logs now redact the values of environment variables marked Sensitive whose values are 32 characters or longer. That is the whole gate. It is not blanket redaction of every environment variable, and teams that never marked their secrets Sensitive get nothing from it.

The stakes are real because the leak class is real. Build logs get shared in support tickets, pasted into Slack threads, and read by everyone with project access — and any build tool that echoes its environment has historically printed secrets into them in plaintext. Vercel closing that surface matters, and the timing is not random: it lands less than three months after the company disclosed an April 2026 security incident in which an attacker bulk-extracted the non-sensitive tier of customer environment variables.

This guide covers exactly what changed and the precise conditions that trigger redaction, the April incident that explains the urgency, how Vercel’s approach compares to GitHub Actions and GitLab CI masking, an honest map of the leak vectors this feature does not touch — each with its own mitigation — and the same-day AI SDK release that makes July 9 read as a deliberate hardening push rather than a one-off patch.

Key takeaways
  1. 01
    The gate is precise: Sensitive-type plus 32 characters.Redaction fires only for env vars created as Sensitive whose values are 32 characters or longer. Two system vars — VERCEL_AUTOMATION_BYPASS_SECRET and VERCEL_OIDC_TOKEN — are redacted at any length.
  2. 02
    The Sensitive type is old; the build-log masking is new.Sensitive env vars (encrypted, non-readable after creation) predate this release. What changed July 9 is that build logs now honor the type, with an Activity Log event recording each redaction — key, project, and deployment, never the value.
  3. 03
    The April 2026 breach is the why-now.Vercel disclosed an April 19-24 incident in which stolen third-party AI-tool credentials led to bulk extraction of non-sensitive env vars. Sensitive-type values were confirmed not exposed — this feature extends the surviving tier’s protection.
  4. 04
    Four leak vectors stay open, each needing its own fix.Runtime logs, NEXT_PUBLIC_ client bundling, repo-committed secrets, and (our analysis) malicious build plugins are all untouched by log masking. The honest-scope table below maps a mitigation for each.
  5. 05
    Same changelog day, Vercel hardened the agentic stack.AI SDK 7.0.19 shipped July 9 with fingerprintTools and detectToolDrift against MCP rug-pull attacks, plus a prototype-pollution fix — a coordinated security theme, not a coincidence.

01What ShippedA narrow fix for a noisy leak class.

The changelog entry Vercel published on July 9, 2026 is titled “Build logs now redact Sensitive Environment Variable values” — and the title is doing precise work. When a build step prints a value that belongs to a Sensitive-type environment variable and that value is 32 characters or longer, the log output masks it. When either condition fails — the var was never marked Sensitive, or the value is shorter than 32 characters — the value prints exactly as it always did.

Two system-issued credentials are the exception: VERCEL_AUTOMATION_BYPASS_SECRET and VERCEL_OIDC_TOKEN are redacted from build logs regardless of length. Every redaction also writes an Activity Log event recording the environment variable key, the project, and the deployment — but never the value itself — so security teams get an audit trail of what was masked and where.

Length floor
Sensitive-type values
32chars

Redaction fires only when both conditions hold: the var is Sensitive-type AND the value is 32 characters or longer. Shorter values print unmasked even when marked Sensitive.

opt-in by type
Always redacted
System credentials
2vars

VERCEL_AUTOMATION_BYPASS_SECRET and VERCEL_OIDC_TOKEN are masked in build logs at any length — the only unconditional redactions in the feature.

any length
Rollout signal
Before the changelog
5days

A community report of redaction behavior appeared July 4 — five days before the July 9 changelog entry — suggesting a phased rollout ahead of the formal announcement.

phased rollout
"The Build Logs view also indicates when redaction happened, giving teams visibility into why output was masked without ever exposing the underlying value."— Vercel Changelog, July 9, 2026

That in-log indicator matters for debugging: a masked value that looked like a broken build step would generate support tickets; an explicit “this was redacted” marker turns the masking into a feature engineers can see working. It is a small design decision, but it is the difference between a security control teams trust and one they try to disable.

02The MechanicsThe Sensitive type is old; the log masking is what’s new.

It is worth separating two things coverage tends to blur. The Sensitive environment-variable type is an established Vercel feature — its docs page was last updated June 3, 2026, weeks before this release. Sensitive vars are stored in a non-readable, encrypted format from the moment they are created, can only exist in the Production and Preview environments (not Development), and lock their key after creation — you can update the value, with the current value hidden in the UI, but you cannot edit or read back what is stored.

What is new as of July 9 is that build logs now honor the type. Before this change, a Sensitive var was encrypted at rest and unreadable in the dashboard — and could still be printed in plaintext by any build script that echoed it. That gap between storage-level protection and log-level exposure is exactly what the changelog entry closes.

Two operational levers make the gate practical at team scale. First, team owners can enable an org-wide Enforce Sensitive Environment Variables policy (under Settings, then Security and Privacy) that forces all newly created Production and Preview vars to Sensitive-type by default. Second, CI-driven provisioning can guarantee the type programmatically: the REST endpoint for creating project env vars accepts a "type": "sensitive" field, as does the @vercel/sdk TypeScript client — so infrastructure-as-code pipelines never depend on a human remembering a toggle.

One rollout wrinkle deserves a clearly labeled caveat. On July 4 — five days before the changelog entry — a Vercel Community user reported that a variable they had explicitly marked non-sensitive was still being redacted in build logs, and asked how to opt out; no staff reply was recorded when we retrieved the thread. This is a single anecdotal report, not confirmed platform behavior. Read charitably, it suggests the rollout began before the announcement and that org-level enforcement policies may interact with individual variable settings in ways the docs do not yet spell out.

Don’t conflate the two
“Vercel has sensitive env vars” is old news; “build logs now mask them” is the July 9 change. If your team adopted Sensitive-type vars months ago, you gained build-log protection automatically. If you never adopted the type, this feature changed nothing about your logs — that is the honest-scope point this post keeps returning to.

03Why NowThe April breach made the tier gap impossible to ignore.

Vercel disclosed a security incident spanning April 19 to 24, 2026. Per the company’s own knowledge-base bulletin, an attacker compromised a Vercel employee’s credentials for Context.ai — a third-party AI tool — via infostealer malware, used those credentials to take over the employee’s Google Workspace account (bypassing MFA through SSO), reached Vercel’s internal systems, and bulk-extracted non-sensitive environment variables — the plaintext-decryptable type — from a subset of customer projects.

The detail that matters for this story is what the attacker could not read.

Bulk-extracted
Non-sensitive env vars
plaintext-decryptable tier

Extracted from a subset of customer projects during the April incident. Vercel’s guidance was blunt: treat these values as potentially exposed and rotate them as priority.

Rotate as priority
Held the line
Sensitive env vars survived
encrypted · never returned in plaintext

Confirmed NOT exposed in the breach. Because sensitive-type values are encrypted and never returned in plaintext, the attacker could not read them even with internal access.

Confirmed not exposed

Press coverage — Trend Micro’s research write-up, corroborated by multiple security blogs — attributes the attack to the ShinyHunters group and reports the stolen data being offered for $2 million on underground forums. Those attribution and ransom details are press-reported, not confirmed in Vercel’s own bulletin, so treat them accordingly.

The product response followed a straight line. Around May 2026, newly created environment variables began defaulting to Sensitive-type, and the org-wide enforcement policy gave teams a way to lock that default in. The July 9 build-log redaction is the next step on the same line: the breach proved the encrypted tier was the one that held, so Vercel is systematically closing the adjacent surfaces — dashboard reads, API reads, and now build-log echoes — where that tier’s values could still escape as plaintext. Read as a sequence, April to May to July, this is a platform reorganizing its environment-variable model around the assumption that the non-encrypted tier should not exist.

04Platform ComparisonHow the gate compares to GitHub and GitLab masking.

Build-log secret masking is not a new idea — GitHub Actions and GitLab CI have shipped versions of it for years. What is useful, now that Vercel has joined, is a mechanics-level comparison, because the three platforms draw the trigger conditions and the failure modes in genuinely different places. No prior comparison covers Vercel because the feature is days old.

Build-log secret masking compared across Vercel, GitHub Actions, and GitLab CI: trigger and scope, minimum value length, default state, and known failure modes. Synthesis by Digital Applied from the Vercel changelog and docs, the GitHub Actions secure use reference, and GitLab CI/CD variables documentation, retrieved July 10, 2026.
PlatformTrigger and scopeMinimum lengthDefault stateKnown failure modes
Vercel build logsOpt-in by type: the variable must be created as Sensitive, and its value must be 32 characters or longer. Two system vars are redacted at any length.32 charactersOff unless the var is Sensitive-type. A team-wide policy can force new Production/Preview vars to Sensitive by default.Vars never marked Sensitive get no masking; values under 32 characters pass through. One community report of over-redaction during rollout remains anecdotal and unresolved.
GitHub ActionsAutomatic for registered repository, organization, and environment secrets actually used in a job — masking happens at the runner. Anything else needs an explicit ::add-mask:: command.No documented floorOn for registered secrets used in the job.Exact-string matching breaks on structured data (JSON, XML, YAML) used as secrets; transformed values (base64, URL-encoded) must be registered separately or they print in plaintext.
GitLab CIOpt-in per variable via the Masked toggle. Masking is separate from the Protected toggle, which restricts a variable to protected branches and tags.8 characters, single line, no spaces; restricted character set when variable expansion is enabledOff — both toggles are unchecked on new variables.A variable needs both Masked and Protected for full coverage, and GitLab’s own docs state masking is not a guaranteed way to stop malicious users from accessing values.

Two contrasts stand out. First, the length floors: Vercel’s 32 characters is four times GitLab’s 8-character minimum, while GitHub documents no floor at all. A higher floor means fewer false-positive redactions of ordinary config strings, at the cost of leaving short secrets — a 20-character API key, say — unmasked even when marked Sensitive. Second, the failure modes are shared more than the mechanics: GitHub’s docs warn that “structured data can cause secret redaction within logs to fail, because redaction largely relies on finding an exact match for the specific secret value” — the same exact-string-matching weakness applies to any log-masking approach, Vercel’s included.

GitLab’s documentation is the most candid of the three about the category’s ceiling: it states outright that “masking a CI/CD variable is not a guaranteed way to prevent malicious users from accessing variable values”. That framing is the right lens for Vercel’s feature too — log masking is a valuable seatbelt, not a vault. Our secrets-management and key-rotation reference covers the vault layer: scoped credentials, OIDC federation, and zero-downtime rotation.

05Honest ScopeWhat the redaction does not cover.

A lazy reading of the headline — “Vercel redacts secrets in build logs” — implies protection this feature does not provide. The matrix below maps the major secret-leak vectors on a Vercel deployment against what the July 9 change actually closes. The mitigations in the “not closed” rows are our engineering guidance, not Vercel claims — the changelog itself makes no promises beyond build-log output.

Secret-leak vectors on Vercel mapped against the July 9, 2026 build-log redaction feature: which vectors are closed, which remain open, and the mitigation for each open vector. Analysis by Digital Applied, July 2026; open-vector mitigations are author guidance, not Vercel statements.
Leak vectorStatus after July 9Mitigation
Closed by the July 9 redaction
Sensitive-type values echoed into build logsClosed — masked when the value is 32+ charactersMark secrets as Sensitive at creation; review the Activity Log events the redaction writes.
VERCEL_AUTOMATION_BYPASS_SECRET / VERCEL_OIDC_TOKEN in logsClosed — always redacted, at any lengthNothing to configure; these two system vars are masked unconditionally.
Not closed — needs its own control
Non-Sensitive vars, or Sensitive values under 32 charactersNot closed — the gate does not fireConvert secrets to Sensitive-type and enable the team-wide enforcement policy; prefer long, high-entropy values.
Runtime and function logsNot closed — the feature scopes to build logs onlyRedact at the application layer before logging; never log request bodies or headers that can carry credentials.
NEXT_PUBLIC_ values in the client bundleNot closed — structurally out of reachAudit every NEXT_PUBLIC_ var; anything that must stay secret moves server-side behind a route handler.
Secrets committed to the repositoryNot closed — the value leaks before any build runsPre-commit secret scanning plus rotation on every confirmed exposure; treat git history as permanently public.
Malicious or compromised build plugins (our analysis)Not closed — exfiltration in memory never touches the logVet and pin build-time dependencies; restrict install scripts; monitor outbound network activity from CI.

Each open vector deserves a sentence of specifics. Runtime logs: the feature is scoped to build logs, so a function that logs a connection string at request time prints it in full — application-layer redaction is the control, and the patterns in our guide to redaction for AI-generated output transfer directly to server logs.

NEXT_PUBLIC_ exposure is the structurally different one. Next.js inlines any NEXT_PUBLIC_ variable’s value into the client-side JavaScript bundle at build time — the string is permanently baked into files served to every visitor’s browser, discoverable in dev tools regardless of what any log shows. No log-masking feature can touch it, because the leak is the product artifact itself.

Committed secrets leak before Vercel ever sees a build: a credential pushed to git history is exposed to everyone with repo access, forever, and rotation is the only real remedy. And malicious build plugins — to be explicit, this one is our reasoned inference from how the feature is scoped, not a Vercel-stated limitation — sit outside the protection by design: redaction operates on what gets printed to the log stream, so a compromised build-time dependency that reads a decrypted value from the environment and exfiltrates it over the network never triggers the masking at all. Supply-chain controls like the ones in npm 12’s install-script lockdown are the relevant defense there.

The NEXT_PUBLIC_ caveat
One third-party scanning vendor, PreBreach, reports that a meaningful share of the Vercel-deployed apps it scans expose at least one secret through the NEXT_PUBLIC_ prefix. The figure is single-source and comes from a vendor with an interest in alarming numbers, so we won’t repeat it as a hard statistic — but the direction matches what we see in audits: client-bundle exposure is common, and it is entirely untouched by build-log redaction.

06Same DayJuly 9’s other release: tool-drift defenses in the AI SDK.

The build-log redaction did not ship alone. The same changelog day — July 9, 2026, 18:07 UTC on the GitHub releases page — Vercel published ai@7.0.19 of the Vercel AI SDK, introducing fingerprintTools and detectToolDrift: two functions that defend against MCP “rug pull” attacks, where a remote MCP server silently changes a tool’s description or input schema after an agent has already trusted it.

The mechanics are a checksum for trust: fingerprintTools pins a tool set’s server-controlled fields — description, input schema, title — at the moment of trust, and detectToolDrift diffs later fetches against that fingerprint to catch injected descriptions or widened schemas before the tools reach the model. The release notes are explicit about the division of labor: “Baseline storage and the drift response remain the app’s responsibility.” The same release also patched a prototype-pollution vulnerability in tool-approval resolution, so tool names that collide with inherited JavaScript properties like constructor resolve correctly.

We unpack the fingerprinting API, the threat model, and the migration path in our companion piece on AI SDK 7.0.19’s MCP tool-drift defenses. The point for this post is the pattern: one platform, one day, two releases that both assume the inside of the pipeline is hostile — build output that might echo secrets, and MCP servers that might mutate after trust. That is a security posture shifting from perimeter to pipeline, and given that the April incident began with a compromised third-party AI tool, hardening the agentic stack alongside the build stack reads as one lesson applied twice.

07PlaybookThe rollout moves worth making this week.

The feature is free, already live, and requires no code change — but it only protects teams whose variables are actually Sensitive-type. Here is where we’d focus, in order.

Every Vercel team
Audit variable types, then enforce

Inventory which Production and Preview vars are Sensitive-type today — anything storing a credential that isn’t gets zero build-log protection. Then enable the org-wide Enforce Sensitive Environment Variables policy so new vars default to the protected tier.

Do first
Platform / CI owners
Provision sensitive-type via API

If env vars are created by pipelines, pass the sensitive type field on the project-env REST endpoint or via the @vercel/sdk client, so the guarantee is code-enforced rather than toggle-dependent.

Automate it
Next.js app teams
Audit NEXT_PUBLIC_ usage

Log masking cannot help with values baked into the client bundle. Review every NEXT_PUBLIC_ var; anything that must stay secret moves server-side behind a route handler or server action.

Close the bundle gap
Post-April hygiene
Rotate and keep scanning

If any of your projects held non-sensitive vars through April 2026, Vercel’s guidance was to treat them as potentially exposed and rotate. Log redaction does not replace secret scanning or rotation discipline — it sits alongside them.

Stay on rotation

Looking forward, our expectation — and it is a projection, not an announcement — is that the 32-character floor and the opt-in type are the parts most likely to evolve. Vercel has been walking a straight line since April: sensitive-by-default creation, org enforcement policies, and now log masking all push toward a world where the plaintext-readable tier disappears entirely. Teams that treat Sensitive-type as the only tier now will find each of those steps a no-op; teams that don’t will keep inheriting migration work each time the default tightens.

If you want a second set of senior eyes on this — a secrets-handling audit across your Vercel projects, or a broader hardening pass on an AI-heavy pipeline — our web development team runs exactly these reviews, and our AI transformation engagements cover the agentic-stack side, from MCP trust boundaries to tool-drift monitoring.

08ConclusionA good fix, honestly sized.

The bottom line, July 2026

Build-log redaction is a seatbelt, not a vault — and it only buckles for Sensitive-type variables.

The July 9 change closes a real and embarrassing leak class: secrets printed into build logs that get shared, pasted, and read far beyond the people who should hold them. The mechanics are precise — Sensitive-type variables, values of 32 characters or longer, two system vars always masked — and the precision is the point. Teams that know the exact gate can rely on it; teams that assume blanket redaction will be protected by a feature that, for their unmarked variables, never fires.

The context makes it more than a changelog footnote. April’s breach demonstrated, at customer expense, that Vercel’s encrypted tier held while the plaintext tier did not. Everything since — sensitive-by-default creation, org-wide enforcement, and now build-log masking — is the platform converging on the tier that survived. The same day’s AI SDK tool-drift defenses extend the identical instinct to the agentic stack: assume the pipeline’s inputs can turn hostile after you trusted them.

The work left is yours: mark the variables, enforce the policy, audit the NEXT_PUBLIC_ surface, keep rotating. Log redaction is the platform doing its part of a shared-responsibility split — the four vectors it cannot touch are the reminder that the other part still belongs to you.

Harden your deployment pipeline

Secrets discipline is a system, and build-log redaction is one layer.

Our team audits secrets handling, hardens CI/CD and agentic pipelines, and ships the fixes — variable-type migrations, rotation runbooks, and MCP trust boundaries — in days, not quarters.

Free consultationExpert guidanceTailored solutions
What we work on

Pipeline-security engagements

  • Vercel env var audits — type migration & enforcement
  • NEXT_PUBLIC_ exposure reviews for Next.js apps
  • Secret scanning & zero-downtime rotation runbooks
  • MCP trust boundaries & tool-drift monitoring
  • CI/CD supply-chain hardening across platforms
FAQ · Vercel build-log redaction

The questions engineering teams are asking this week.

Vercel published a changelog entry titled “Build logs now redact Sensitive Environment Variable values.” From that date, when a build step prints the value of an environment variable marked Sensitive and that value is 32 characters or longer, the build log masks it instead of showing it in plaintext. The Build Logs view indicates when a redaction happened, and each redaction writes an Activity Log event recording the variable key, project, and deployment — never the value itself. Two system variables, VERCEL_AUTOMATION_BYPASS_SECRET and VERCEL_OIDC_TOKEN, are redacted at any length. Nothing else about how environment variables work changed in this release.
Related dispatches

Continue exploring platform security.