Pipeline security
Secrets Management
Secrets management is the systems that developers use to securely store sensitive data in a secure environment with strict access controls. A secret is a sensitive credential that should be kept confidential. Examples of a secret include:
- Passwords
- SSH keys
- Access tokens
- Any other types of credentials where exposure would be harmful to an organization
Secrets storage
Secrets management providers
Secrets that are the most sensitive and under the strictest policies should be stored in a secrets manager. When using a secrets manager solution, secrets are stored outside of the GitLab instance. There are a number of providers in this space, including HashiCorp’s Vault, Azure Key Vault, and Google Cloud Secret Manager.
You can use the GitLab native integrations for certain external secret management providers to retrieve those secrets in CI/CD pipelines when they are needed.
CI/CD variables
CI/CD Variables are a convenient way to store and reuse data in a CI/CD pipeline, but variables are less secure than secrets management providers. Variable values:
- Are stored in the GitLab project, group, or instance settings. Users with access to the settings have access to variables values that are not hidden.
- Can be overridden, making it hard to determine which value was used.
- Can be exposed by accidental pipeline misconfiguration.
Information suitable for storage in a variable should be data that can be exposed without risk of exploitation (non-sensitive).
Sensitive data should be stored in a secrets management solution. If there is low sensitivity data that you want to store in a CI/CD variable, be sure to always:
- Mask the variables or Mask and hide the variable.
- Protect the variables when possible.
- Hide the variables when possible.