DOS6047

CI/CD variable should be protected

DOS6047

GitLab project Severityhigh builtIn

Description

CI/CD variables (project- or group-scoped) should set protected = true. Protected variables are only exposed to pipelines running on protected branches and protected tags, preventing feature branches and forks from exfiltrating secrets via maliciously crafted .gitlab-ci.yml. Combine with a robust protected-branch policy (DOS6040+).

Learn More

Recommendation

1. Go to project Settings > CI/CD > Variables (or group equivalent). 
2. For each secret variable, click Edit and toggle Protect variable. 
3. Confirm the variable now appears with the Protected indicator. 
4. Verify protected branches are correctly configured (DOS6040+).

Policy Rule

{
  "target": "GLCiVariable",
  "if": {
    "allOf": [
      {
        "resource": "GLCiVariable",
        "property": "Protected",
        "operator": "equals",
        "value": true
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS6046 DOS6048 »
Rule Details
  • Rule ID: DOS6047
  • Code: GL_CiVariable_Should_Be_Protected
  • Platform: GitLab
  • Category: project
  • Severity: Severityhigh
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions | v1.0.2