|
|
|
|
|
|
by chatmasta
1902 days ago
|
|
|
No, GitLab does not allow marking variables as secrets. They allow "masking" env variables, subject to a bunch of caveats, like your secrets not being multiple lines (e.g. a private key cannot be masked). Even then, the masking is just about log output -- it doesn't prevent a `env | curl` type situation. [0] The correct mitigation is to ensure that any "secret" variables are marked as "protected" so they can only run on protected branches that are limited to pushes by maintainers. And you'll still need to make sure the masking works in the logs. They do support integrating with Vault to access secrets in a CI job, but you need to pay them to use that feature. [1] [0] https://docs.gitlab.com/ee/ci/variables/#mask-a-cicd-variabl... [1] https://docs.gitlab.com/ee/ci/secrets/ |
|
|