diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-04-30 21:10:09 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-04-30 21:10:09 +0300 |
commit | d899d2a373f8be3d94760299faafa19c3c432c1e (patch) | |
tree | c4648e948c6f8c5428bc0e0046b1dc2200e00402 /doc/ci/variables | |
parent | 69d28d313c2a65ead87229841a50bfc130e8c952 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc/ci/variables')
-rw-r--r-- | doc/ci/variables/README.md | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/doc/ci/variables/README.md b/doc/ci/variables/README.md index 5796a5c6b7d..c18695c6719 100644 --- a/doc/ci/variables/README.md +++ b/doc/ci/variables/README.md @@ -603,11 +603,18 @@ to enable the `restrict_user_defined_variables` setting. The setting is `disable ## Limit the environment scope of a CI/CD variable -You can limit the environment scope of a variable by -[defining which environments](../environments/index.md) it can be available for. +By default, all CI/CD variables are available to any job in a pipeline. Therefore, if a project uses a +compromised tool in a test job, it could expose all CI/CD variables that a deployment job used. This is +a common scenario in supply chain attacks. GitLab helps mitigate supply chain attacks by limiting +the environment scope of a variable. GitLab does this by +[defining which environments and corresponding jobs](../environments/index.md) +the variable can be available for. To learn more about scoping environments, see [Scoping environments with specs](../environments/index.md#scoping-environments-with-specs). +To learn more about ensuring CI/CD variables are only exposed in pipelines running from protected +branches or tags, see [Protect a CI/CD Variable](#protect-a-cicd-variable). + ## Deployment variables Integrations that are responsible for deployment configuration can define their own |