Ensure to review suspicious use of 'curl' / 'wget' with CI environment CI_JOB_TOKEN or CI_REGISTRY_PASSWORD variable

When a pipeline job is about to run, GitLab generates a unique token and injects it as the CI_JOB_TOKEN and CI_REGISTRY_PASSWORD predefined variables,
and can be used to authenticate with specific API endpoints.

Risk Level: medium
Platform: GitLab
Spectral Rule ID: GLPL002


To make sure that this token doesn't leak:

  • Masks the job token in job logs.
  • Grants permissions to the job token only when the job is running.

You should also configure your runners to be secure. Avoid:

  • Using Docker's privileged mode if the machines are re-used.
  • Using the shell executor when jobs run on the same machine.
    If you have an insecure GitLab Runner configuration, you increase the risk that someone tries to steal tokens from other jobs.

Read more: