Are SSH keys safe to use in GitLab CI/CD?

cubex · September 23, 2023, 2:08pm

Hello!

I’m currently developing a pipeline for a GitLab project.

The pipeline has 3 jobs:

build
test
deploy

In my build job i’m passing a SSH key to docker, so I can run composer install in it.

The SSH key is stored in a GitLab CI/CD file variable and it’s not marked as protected, because the build job also runs on unprotected branches in order to run the test job.

I cannot use deploy tokens, because the deploy job merges changes from main to TEST_BRANCH. From what I’ve seen deploy tokens don’t have write_repository access.

Are there any security risks in this approach?

If there are any risks, please share any ideas to solve this.

paula.kokic · September 25, 2023, 2:10pm

Hello!

Can you explain a bit more what exactly do you use the SSH key for?
Also sharing that job conifig (.gitlab-ci.yml) would be useful for us to be able to understand and help you.

Generally, using SSH keys in jobs is okay - the intended usage is explained in the official docs so I believe it should be quite safe if you’re doing it correctly

Topic		Replies	Views
How to use Deploy Keys in CI/CD? GitLab CI/CD	0	201	May 16, 2024
SSH keys protection in custom Gitlab runners GitLab CI/CD runner	0	11	September 12, 2024
Gitlab pipline with manual asking for ssh password How to Use GitLab	4	683	March 25, 2024
Question on Deploy phase of gitlab-ci.yaml GitLab CI/CD cicd	1	553	June 30, 2023
Having trouble integrating CD (Continuous Delivery) with docker + ssh GitLab CI/CD runner , cicd	1	1306	July 31, 2024

Are SSH keys safe to use in GitLab CI/CD?

Related Topics