DOS6049

CI/CD variable environment scope should not be wildcard '*'

DOS6049

GitLab project Severitymedium builtIn

Description

CI/CD variables should not use the wildcard environment_scope = '*' for sensitive secrets (production database credentials, signing keys, deploy tokens). A wildcard scope makes the variable available to every environment, including staging/dev pipelines that may run untrusted code. Use environment-specific scopes (production, staging, dev) and replicate per environment with appropriate values.

Recommendation

1. Go to project Settings > CI/CD > Variables (or group equivalent). 
2. For sensitive variables with environment_scope = '*', edit and set a specific environment name (e.g., production). 
3. Add separate variable entries for other environments with appropriate values. 
4. Verify the protected-branch + environment-scope combination matches your deployment topology.

Policy Rule

{
  "target": "GLCiVariable",
  "if": {
    "allOf": [
      {
        "resource": "GLCiVariable",
        "property": "EnvironmentScope",
        "operator": "notEquals",
        "value": "*"
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS6048 DOS6050 »
Rule Details
  • Rule ID: DOS6049
  • Code: GL_CiVariable_EnvironmentScope_Should_Not_Be_All
  • Platform: GitLab
  • Category: project
  • Severity: Severitymedium
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions | v1.0.2