ISSUE-301 Critical Quick Platform CI/CD Secrets
Secret leak in pipeline configuration
Control: Pipeline configuration must not contain secrets · Config key: pipelineConfigurationMustNotContainSecrets
📋 What is this?
A secret, such as an API key or password, is hardcoded in the .gitlab-ci.yml file, making it visible to anyone with repository access.
⚠️ Impact
Hardcoded secrets increase the risk of unauthorized access to your systems, data leaks, and resource misuse. For example, if your API key is exposed, attackers could use it to access your cloud services, resulting in high costs or data theft.
🔧 How to fix
Revoke and rotate the exposed secret immediately, remove it from the configuration file, then inject it securely using GitLab CI/CD variables or an external secrets manager.
✗ Before Secrets hardcoded in .gitlab-ci.yml are visible in the repository to all members.
# .gitlab-ci.yml — ❌ Hardcoded secrets (CRITICAL)deploy: stage: deploy script: - export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE - export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY - aws s3 sync . s3://my-bucket
api-call: variables: API_TOKEN: "ghp_exampleTokenHardcodedHere123" script: - curl -H "Authorization: token $API_TOKEN" https://api.example.com✓ After Secrets are stored securely as CI/CD variables, not in the repository.
# .gitlab-ci.yml — ✅ Secrets injected via CI/CD variablesdeploy: stage: deploy script: # AWS credentials injected from protected CI/CD variables - aws s3 sync . s3://my-bucket
api-call: script: - curl -H "Authorization: token $API_TOKEN" https://api.example.com
# In GitLab: Settings > CI/CD > Variables# Add: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, API_TOKEN# Set Protected: true, Masked: true for each💡 Tips
- If a secret was ever committed, treat it as compromised and rotate it immediately.
- Use GitLab's secret detection feature to scan for leaked credentials in your repository history.
- For production workloads, consider using an external secrets manager (HashiCorp Vault, AWS Secrets Manager, etc.).
- Add secret patterns to
.gitignoreor use pre-commit hooks to prevent accidental commits.