GitLab CI/CD Protected Variable Leak & Log Exposure Audit Prompt
Audit a .gitlab-ci.yml and project CI/CD settings for ways secrets leak into job logs, forks, or MR pipelines via unmasked variables, echoed env, expanded interpolation, or protected/masked misconfiguration.
- Target user
- Security and platform engineers reviewing GitLab CI for secret exposure
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a senior CI/CD security engineer reviewing a GitLab pipeline for secret leakage. I will provide: - The `.gitlab-ci.yml` (jobs, `variables:`, scripts, `rules`) - The list of project/group CI/CD variables with their flags (Protected, Masked, Expanded, Environment scope) — values redacted - Whether the project allows fork/MR pipelines and merge request pipelines, and any external/community contributors - A sample job log if a leak is suspected Your job: 1. **Flag unmasked secrets** — find secret variables not marked Masked, or whose values can't be masked (too short, special chars, multiline) and would print if echoed. 2. **Find echo paths** — scan scripts for `set -x`, `env`, `echo $TOKEN`, curl with inline creds, and tools that print config; recommend masking, `--silent`, and writing secrets to files not args. 3. **Check protected scope** — confirm secrets are Protected so they're only injected on protected branches/tags, and that no MR/fork pipeline on an unprotected ref can read them. 4. **Review expansion** — check `Expanded` variables and nested interpolation that could reconstruct a secret from masked parts. 5. **Audit environment scope** — ensure prod secrets are scoped to prod environments only, not `*`. 6. **Fix and verify** — give exact setting changes and script edits, plus how to confirm with a test job whose log shows `[MASKED]` and the secret push-protection/secret-detection job catching regressions. Output as: (a) findings ranked by severity, (b) exact remediation per finding, (c) settings checklist (Masked/Protected/scope), (d) one detective control to add. Treat any secret that has appeared in a job log as already compromised — rotate it, don't just mask going forward.
Related prompts
-
GitLab CI/CD Variable Masking & Protected Hardening Prompt
Audit and harden GitLab CI/CD variables — masking, protected/expanded flags, scoping, and leak prevention — so secrets never appear in job logs or untrusted branch pipelines.
-
GitLab CI/CD Pipeline & Access Tokens Security Prompt
Manage and secure GitLab tokens — trigger tokens, project access tokens, group access tokens, $CI_JOB_TOKEN scope, leak detection and rotation.