Pipeline security
Secrets Management
Secrets management is the systems that developers use to securely store sensitive data in a secure environment with strict access controls. A secret is a sensitive credential that should be kept confidential, and includes:
- Passwords.
- SSH keys.
- Access tokens.
- Any other types of credentials where exposure would be harmful to an organization.
Secrets storage
Secrets management providers
Secrets that are the most sensitive and under the strictest policies should be stored in a secrets management. Vault is one provider in this space. When using Vault, secrets are stored outside of the GitLab instance.
You can use the GitLab Vault integration to retrieve those secrets in CI/CD pipelines when they are needed.
CI/CD variables
CI/CD Variables are a convenient way to store and use data in a CI/CD pipeline, but variables are less secure than secrets management providers. Variable values:
- Are stored in the GitLab project, group, or instance settings. Users with access to the settings have access to the variables.
- Can be overridden, making it hard to determine which value was used.
- Can be exposed by accidental pipeline misconfiguration.
Sensitive data should be stored in a secrets management solution. If there is low sensitivity data that you want to store in a CI/CD variable, be sure to always:
- Mask the variables.
- Protect the variables when possible.