| Field | Value |
|---|---|
| Category | CICD-SEC-2 |
| Platform | GitLab CI |
| Severity | MEDIUM |
| Auto-fix | Flags CI/CD variables whose names indicate a long-lived personal, group, or project access token (*_PAT, GITLAB_TOKEN, GROUP_TOKEN) rather than the short-lived CI_JOB_TOKEN. |
What the check does
Long-lived tokens are standing secrets: if leaked they grant durable access until manually rotated. PreferCI_JOB_TOKEN (scoped to the job) or short-lived tokens minted per pipeline.
Why it matters
Findings for this rule fire only on.gitlab-ci.yml and .gitlab-ci/*.yml.
It is the GitLab analog of the correspondingly-numbered GitHub Actions rule; see
the rules overview for the full
GitLab table.