Are SSH keys safe to use in GitLab CI/CD?


I’m currently developing a pipeline for a GitLab project.

The pipeline has 3 jobs:

  • build
  • test
  • deploy

In my build job i’m passing a SSH key to docker, so I can run composer install in it.

The SSH key is stored in a GitLab CI/CD file variable and it’s not marked as protected, because the build job also runs on unprotected branches in order to run the test job.

I cannot use deploy tokens, because the deploy job merges changes from main to TEST_BRANCH. From what I’ve seen deploy tokens don’t have write_repository access.

Are there any security risks in this approach?

If there are any risks, please share any ideas to solve this.


Can you explain a bit more what exactly do you use the SSH key for?
Also sharing that job conifig (.gitlab-ci.yml) would be useful for us to be able to understand and help you.

Generally, using SSH keys in jobs is okay - the intended usage is explained in the official docs so I believe it should be quite safe if you’re doing it correctly :slight_smile: