| Field | Value |
|---|---|
| Category | CICD-SEC-6 |
| Platform | GitLab CI |
| Severity | HIGH |
| Auto-fix | Flags credentials embedded directly in variables: blocks or script: lines (tokens, keys, suspicious credential-shaped values). |
What the check does
Secrets committed to.gitlab-ci.yml are exposed to anyone with read access and live in git history forever. Store them as masked/protected CI/CD variables or in an external secrets manager.
Why it matters
Findings for this rule fire only on.gitlab-ci.yml and .gitlab-ci/*.yml.
It is the GitLab analog of the correspondingly-numbered GitHub Actions rule; see
the rules overview for the full
GitLab table.