> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-2 (GitLab) — Long-lived access token used instead of CI_JOB_TOKEN

> Long-lived tokens are standing secrets: if leaked they grant durable access until manually rotated. Prefer `CI_JOB_TOKEN` (scoped to the job) or short-lived tokens minted per pipeline.

| Field    | Value                                                                                                                                                                                 |
| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Category | `CICD-SEC-2`                                                                                                                                                                          |
| Platform | GitLab CI                                                                                                                                                                             |
| Severity | **MEDIUM**                                                                                                                                                                            |
| Auto-fix | Flags CI/CD variables whose names indicate a long-lived personal, group, or project access token (`*_PAT`, `GITLAB_TOKEN`, `GROUP_TOKEN`) rather than the short-lived `CI_JOB_TOKEN`. |

## What the check does

Long-lived tokens are standing secrets: if leaked they grant durable access until manually rotated. Prefer `CI_JOB_TOKEN` (scoped to the job) or short-lived tokens minted per pipeline.

## Why it matters

Findings for this rule fire only on `.gitlab-ci.yml` and `.gitlab-ci/*.yml`.
It is the GitLab analog of the correspondingly-numbered GitHub Actions rule; see
the [rules overview](/rules/overview#gitlab-ci-workflow-checks) for the full
GitLab table.
