Skip to main content
FieldValue
CategoryCICD-SEC-2
PlatformGitLab CI
SeverityMEDIUM
Auto-fixFlags CI/CD variables whose names indicate a long-lived personal, group, or project access token (*_PAT, GITLAB_TOKEN, GROUP_TOKEN) rather than the short-lived CI_JOB_TOKEN.

What the check does

Long-lived tokens are standing secrets: if leaked they grant durable access until manually rotated. Prefer CI_JOB_TOKEN (scoped to the job) or short-lived tokens minted per pipeline.

Why it matters

Findings for this rule fire only on .gitlab-ci.yml and .gitlab-ci/*.yml. It is the GitLab analog of the correspondingly-numbered GitHub Actions rule; see the rules overview for the full GitLab table.