Skip to main content
FieldValue
CategoryCICD-SEC-6
PlatformGitLab CI
SeverityHIGH
Auto-fixFlags credentials embedded directly in variables: blocks or script: lines (tokens, keys, suspicious credential-shaped values).

What the check does

Secrets committed to .gitlab-ci.yml are exposed to anyone with read access and live in git history forever. Store them as masked/protected CI/CD variables or in an external secrets manager.

Why it matters

Findings for this rule fire only on .gitlab-ci.yml and .gitlab-ci/*.yml. It is the GitLab analog of the correspondingly-numbered GitHub Actions rule; see the rules overview for the full GitLab table.