> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-6 (GitLab) — Hardcoded secret in pipeline config

> Secrets committed to `.gitlab-ci.yml` are exposed to anyone with read access and live in git history forever. Store them as masked/protected CI/CD variables or in an external secrets manager.

| Field    | Value                                                                                                                              |
| -------- | ---------------------------------------------------------------------------------------------------------------------------------- |
| Category | `CICD-SEC-6`                                                                                                                       |
| Platform | GitLab CI                                                                                                                          |
| Severity | **HIGH**                                                                                                                           |
| Auto-fix | Flags credentials embedded directly in `variables:` blocks or `script:` lines (tokens, keys, suspicious credential-shaped values). |

## What the check does

Secrets committed to `.gitlab-ci.yml` are exposed to anyone with read access and live in git history forever. Store them as masked/protected CI/CD variables or in an external secrets manager.

## Why it matters

Findings for this rule fire only on `.gitlab-ci.yml` and `.gitlab-ci/*.yml`.
It is the GitLab analog of the correspondingly-numbered GitHub Actions rule; see
the [rules overview](/rules/overview#gitlab-ci-workflow-checks) for the full
GitLab table.
