GitLab CI Security & Variables

Manage credentials and CI scopes securely.

Language / Topic

GitLab CI/CD

Rules

GitLab CI Security & Variables · balanced balanced

- Use CI/CD variables with `masked` and `protected` flags for secrets — never hardcode credentials in `.gitlab-ci.yml`.

- Restrict production deployment jobs to protected branches and protected environments with required approvals.

- Store secrets as CI/CD variables with `masked: true` (hidden from logs) and `protected: true` (only on protected branches).

- Use protected environments with required approvals for production deployments.

- Pin container images to SHA digests in `image:` directives — avoid mutable tags like `latest`.

- Use `id_tokens` for OIDC-based cloud authentication instead of storing long-lived cloud credentials.

- Enable SAST, dependency scanning, and secret detection in the CI pipeline using GitLab's built-in templates.