Salesforce CLI Security Update: Prepare Your CI/CD Pipelines

Salesforce is rolling out critical security updates to the Salesforce CLI (SF CLI) that will alter how sensitive information, such as access tokens and authentication URLs, is handled. These changes aim to prevent accidental credential exposure, particularly in AI-assisted workflows. This update will impact existing CI/CD pipelines and automation scripts, requiring developers to adapt to new command structures.

The changes are currently available in the SF CLI release candidate (RC) and will be deployed to the production release on Wednesday, May 27, 2026. Failing to prepare for this transition could lead to significant disruptions in deployment processes.

Key Changes to Credential Handling

According to Mitch Spano, Director of Product Management at Salesforce, the primary goal is to redact secrets from standard human-readable and --json outputs of common commands. This means commands like sf org display will no longer directly expose sensitive artifacts.

Commands Impacted and Affected Secrets:

• sf org display
• sf org list
• sf org create scratch
• sf org resume scratch
• sf org display user
• sf org list users
• sf org login jwt
• sf org login web
• sf org login sfdx-url
• sf org login access-token
• sf org list auth

These commands will now redact sensitive data including: Access Token, Auth URL, and Password.

New Commands for Credential Retrieval

To retrieve sensitive information going forward, developers must utilize new, dedicated commands. These commands are designed to be more explicit and interactive, requiring a deliberate action to expose credentials.

New Credential Retrieval Commands:

• sf org auth show-access-token: Retrieves the Access Token.
• sf org auth show-sfdx-auth-url: Retrieves the SFDX Auth URL.
• sf org auth show-user-password: Retrieves the user's password.

These new commands are interactive by default and will display a security warning. For use in non-interactive environments, such as CI/CD pipelines, you must append --json or --no-prompts to these new commands.

Temporary Workaround and Migration Timeline

Salesforce acknowledges the potential for immediate pipeline breakage and has provided a temporary environment variable workaround: SF_TEMP_SHOW_SECRETS=true. This variable can be injected into your CI/CD environment to maintain legacy behavior temporarily.

Important Dates & Actions:

• May 27, 2026 (Production Release): Secrets are removed from existing commands. If pipelines break, deploy the temporary environment variable workaround immediately.
• Summer 2026: The temporary environment variable workaround will be permanently decommissioned. All workflows must be updated to use the new dedicated commands by this date.

It is strongly recommended to review and refactor your CI/CD scripts to use the new explicit commands as soon as possible to avoid reliance on the temporary workaround.

Rationale Behind the Changes

These security enhancements are part of a long-term strategy to strengthen the security posture of the Salesforce CLI. A recent security review highlighted elevated risks associated with sensitive credentials being exposed through standard CLI workflows, especially considering the rise of AI coding agents that may log execution outputs in plain text.

By shifting to an explicit credential retrieval model, Salesforce aims to ensure that accessing sensitive information requires deliberate user intent and is clearly marked as a high-risk operation, aligning with broader platform security objectives.

Community Reaction and Concerns

While the need for enhanced security is widely recognized, the rapid timeline for this change has raised concerns within the developer community regarding CI/CD pipeline disruptions. Some developers have noted that while functionality isn't being removed, it's being "reshuffled," requiring significant effort to adapt existing automation.

Architectural concerns have also been raised, particularly regarding the potential for a single compromise of the SF CLI to grant access to multiple Salesforce orgs, especially for consultancies managing numerous client environments. The possibility of future, more stringent security measures like multi-factor authentication for CLI connections has also been discussed, which would necessitate a separation between developer commands and CI/CD automation commands.

Actionable Steps for Developers

1. Audit CI/CD Scripts: Immediately review all CI/CD pipelines and automation scripts that interact with the SF CLI for dependencies on sensitive credential outputs.
2. Update Commands: Refactor scripts to use the new sf org auth show-* commands.
3. Implement --json or --no-prompts: Append these flags to the new credential retrieval commands for non-interactive CI/CD usage.
4. Utilize Temporary Workaround (If Necessary): If immediate pipeline breakage occurs after May 27, deploy the SF_TEMP_SHOW_SECRETS=true environment variable as a temporary measure.
5. Plan for Permanent Migration: Ensure all workflows are updated to the new commands before the temporary workaround is removed in Summer 2026.
6. Monitor GitHub: Keep an eye on the official Salesforce CLI GitHub repository for detailed updates and discussions regarding these changes.

Key Takeaways

• Salesforce CLI is enhancing security by redacting sensitive credentials from standard command outputs.
• New, explicit commands like sf org auth show-access-token are required for credential retrieval.
• CI/CD pipelines will break if not updated to use these new commands or the temporary SF_TEMP_SHOW_SECRETS=true workaround.
• The temporary workaround will be decommissioned in Summer 2026, necessitating a permanent migration.
• Proactive review and refactoring of automation scripts are crucial to avoid deployment disruptions and ensure continued operational efficiency.