blob: cecc178994678be99c6848cec2479c3726e482d0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
---
stage: Verify
group: Pipeline Security
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
---
# Pipeline security
## Secrets Management
Secrets management is the systems that developers use to securely store sensitive data
in a secure environment with strict access controls. A **secret** is a sensitive credential
that should be kept confidential, and includes:
- Passwords.
- SSH keys.
- Access tokens.
- Any other types of credentials where exposure would be harmful to an organization.
## Secrets storage
### Secrets management providers
Secrets that are the most sensitive and under the strictest policies should be stored
in a secrets management. [Vault](https://www.vaultproject.io) is one provider in this space.
When using Vault, secrets are stored outside of the GitLab instance.
You can use the GitLab [Vault integration](../secrets/index.md#use-vault-secrets-in-a-ci-job)
to retrieve those secrets in CI/CD pipelines when they are needed.
### CI/CD variables
[CI/CD Variables](../variables/index.md) are a convenient way to store and use data
in a CI/CD pipeline, but variables are less secure than secrets management providers.
Variable values:
- Are stored in the GitLab project, group, or instance settings. Users with access
to the settings have access to the variables.
- Can be [overridden](../variables/index.md#override-a-defined-cicd-variable),
making it hard to determine which value was used.
- Can be exposed by accidental pipeline misconfiguration.
Sensitive data should be stored in a secrets management solution. If there is low
sensitivity data that you want to store in a CI/CD variable, be sure to always:
- [Mask the variables](../variables/index.md#mask-a-cicd-variable).
- [Protect the variables](../variables/index.md#protect-a-cicd-variable) when possible.
|