Skip to main content
On this page
ISSUE-301 Critical Quick CI/CD Secrets

Secret leak in pipeline configuration

Control: Pipeline configuration must not contain secrets · Config key: pipelineConfigurationMustNotContainSecrets

📋 What is this?

A secret, such as an API key or password, is hardcoded in the .gitlab-ci.yml file, making it visible to anyone with repository access.

⚠️ Impact

Hardcoded secrets increase the risk of unauthorized access to your systems, data leaks, and resource misuse. For example, if your API key is exposed, attackers could use it to access your cloud services, resulting in high costs or data theft.

🔧 How to fix

Revoke and rotate the exposed secret immediately, remove it from the configuration file, then inject it securely using GitLab CI/CD variables or an external secrets manager.

✗ Before Secrets hardcoded in .gitlab-ci.yml are visible in the repository to all members.
# .gitlab-ci.yml — ❌ Hardcoded secrets (CRITICAL)
deploy:
  stage: deploy
  script:
    - export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
    - export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
    - aws s3 sync . s3://my-bucket


api-call:
  variables:
    API_TOKEN: "ghp_exampleTokenHardcodedHere123"
  script:
    - curl -H "Authorization: token $API_TOKEN" https://api.example.com
✓ After Secrets are stored securely as CI/CD variables, not in the repository.
# .gitlab-ci.yml — ✅ Secrets injected via CI/CD variables
deploy:
  stage: deploy
  script:
    # AWS credentials injected from protected CI/CD variables
    - aws s3 sync . s3://my-bucket


api-call:
  script:
    - curl -H "Authorization: token $API_TOKEN" https://api.example.com


# In GitLab: Settings > CI/CD > Variables
# Add: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, API_TOKEN
# Set Protected: true, Masked: true for each

💡 Tips

  • If a secret was ever committed, treat it as compromised and rotate it immediately.
  • Use GitLab's secret detection feature to scan for leaked credentials in your repository history.
  • For production workloads, consider using an external secrets manager (HashiCorp Vault, AWS Secrets Manager, etc.).
  • Add secret patterns to .gitignore or use pre-commit hooks to prevent accidental commits.

⚙️ Configuration

This control is configured in .plumber.yaml under the key:

controls:
  pipelineConfigurationMustNotContainSecrets:
    enabled: true

See the CLI documentation for the full configuration reference.

🔗 Related issues

ISSUE-201 Unprotected variable
Medium Quick
ISSUE-202 Unmasked variable
Medium Quick