Suspicious use of curl with CI environment variables in script
Description
This policy checks for suspicious use of curl commands in GitLab CI scripts that utilize CI environment variables. The use of curl with CI variables can potentially expose sensitive information, such as tokens or credentials, to unauthorized parties. It's essential to ensure that curl commands do not inadvertently leak sensitive data. By identifying and addressing these instances, developers can help protect their CI/CD pipelines from potential security vulnerabilities.
Code Example
yaml
script:
- curl -X GET \
'https://example.com/api/endpoint'
- echo $CI_VARIABLE > variable.txt
- curl -X POST \
-H 'Authorization: Bearer $TOKEN'
'https://example.com/api/endpoint'
# Instead, use:
script:
- curl -X GET \
'https://example.com/api/endpoint'
- echo $CI_VARIABLE > variable.txt
- curl -X POST \
-H 'Authorization: Bearer ${TOKEN}'
'https://example.com/api/endpoint'Remediation
Modify the script to avoid using CI environment variables directly in curl commands. Instead, consider using GitLab CI's built-in features for handling secrets and sensitive variables.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1066 |
| Severity | MEDIUM |
| IaC Type | gitlab_ci |
| Frameworks | *.script[] |
| Checkov ID | CKV_GITLABCI_1 |