Add the ability to record and stream shell commands and outputs from "Rerun job with SSH" sessions to customer-owned S3 buckets for SIEM ingestion and forensic analysis. THE SECURITY CONCERN When someone initiates "Rerun job with SSH," they gain access to the build environment where environment variables (secrets, API keys, credentials) may be accessible. If an account is compromised or a bad actor gains access, they could dump credentials using printenv or env, exfiltrate sensitive data, or take actions that wouldn't be logged or detected. Without session recording, security teams have no forensic trail to understand what occurred during an incident. CUSTOMER SCENARIO Customer (enterprise SaaS company) has flagged SSH rerun as a security risk. Their infosec team wants to stream session activity to S3 for SIEM ingestion (Sumo Logic/Datadog), create alerts for suspicious commands, have forensic evidence for incident response, and meet compliance requirements for audit trails. CURRENT WORKAROUNDS AND GAPS Context Expression Restrictions (not job.ssh.enabled) can block sensitive credentials during SSH sessions, but this reduces debugging utility and doesn't provide visibility. Audit Log Streaming captures session metadata but not session content. Disabling SSH entirely eliminates the risk but removes a valuable debugging tool. REQUESTED CAPABILITY Ideal: Native session recording similar to AWS Session Manager. Capture all shell input (commands typed) and stdout/stderr output. Stream to customer-owned S3 bucket in near real-time. Structured format (JSON) for easy SIEM ingestion. Alternatives: JIT approval workflow for SSH sessions, webhook notifications when SSH sessions start, or integration with third-party session recording tools.
