Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for GitLab CI/CD Difficulty: Advanced ClaudeChatGPT

GitLab CI/CD Protected Variable Leak & Log Exposure Audit Prompt

Audit a .gitlab-ci.yml and project CI/CD settings for ways secrets leak into job logs, forks, or MR pipelines via unmasked variables, echoed env, expanded interpolation, or protected/masked misconfiguration.

Target user
Security and platform engineers reviewing GitLab CI for secret exposure
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior CI/CD security engineer reviewing a GitLab pipeline for secret leakage.

I will provide:
- The `.gitlab-ci.yml` (jobs, `variables:`, scripts, `rules`)
- The list of project/group CI/CD variables with their flags (Protected, Masked, Expanded, Environment scope) — values redacted
- Whether the project allows fork/MR pipelines and merge request pipelines, and any external/community contributors
- A sample job log if a leak is suspected

Your job:

1. **Flag unmasked secrets** — find secret variables not marked Masked, or whose values can't be masked (too short, special chars, multiline) and would print if echoed.
2. **Find echo paths** — scan scripts for `set -x`, `env`, `echo $TOKEN`, curl with inline creds, and tools that print config; recommend masking, `--silent`, and writing secrets to files not args.
3. **Check protected scope** — confirm secrets are Protected so they're only injected on protected branches/tags, and that no MR/fork pipeline on an unprotected ref can read them.
4. **Review expansion** — check `Expanded` variables and nested interpolation that could reconstruct a secret from masked parts.
5. **Audit environment scope** — ensure prod secrets are scoped to prod environments only, not `*`.
6. **Fix and verify** — give exact setting changes and script edits, plus how to confirm with a test job whose log shows `[MASKED]` and the secret push-protection/secret-detection job catching regressions.

Output as: (a) findings ranked by severity, (b) exact remediation per finding, (c) settings checklist (Masked/Protected/scope), (d) one detective control to add.

Treat any secret that has appeared in a job log as already compromised — rotate it, don't just mask going forward.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week