ISSUE-201 Medium Quick CI/CD Variables
Unprotected variable
Control: CI/CD variables must be protected · Config key: cicdVariablesMustBeProtected
📋 What is this?
A variable can be used in CI/CD pipelines of all branches and tags, making its value exposed to all users in the project.
⚠️ Impact
Unauthorized users can exploit unprotected variables, leading to potential security breaches. For example, if your deployment key is exposed on an unprotected branch, it could be used to deploy malicious code by a member with a low role on the project.
🔧 How to fix
Protect sensitive CI/CD variables to restrict their usage only to protected branches or tags.
✗ Before The DEPLOY_KEY variable is not protected and can be used on any branch.
# GitLab project settings — ❌ Variable not protected# Settings > CI/CD > Variables:## Key: DEPLOY_KEY# Value: -----BEGIN RSA PRIVATE KEY-----...# Protected: false ← Any branch can use this# Masked: true## This variable is available in ALL pipelines, including# those triggered by untrusted branches or members with# low roles (e.g., Reporter, Developer).✓ After Protecting the variable restricts its use to protected branches and tags only.
# GitLab project settings — ✅ Variable protected# Settings > CI/CD > Variables:## Key: DEPLOY_KEY# Value: -----BEGIN RSA PRIVATE KEY-----...# Protected: true ← Only available on protected branches/tags# Masked: true## .plumber.yamlcontrols: cicdVariablesMustBeProtected: enabled: true💡 Tips
- Enable variable protection in GitLab under **Settings > CI/CD > Variables**.
- Protected variables are only injected into pipelines running on protected branches or tags.
- Combine with masking (see ISSUE-202) to also hide the value from logs.
⚙️ Configuration
This control is configured in .plumber.yaml under the key:
controls:
cicdVariablesMustBeProtected:
enabled: trueSee the CLI documentation for the full configuration reference.