Consider making CI/CD env variables protected by default when defined by admin/maintainer

Problem to solve

Following a customer security request but also several hackerone reports, making CI/CD env variables protected by default when defined by admin/maintainer could make gitlab deployment more secure. If a maintainer defines a sensitive environment variable and forgets/does not know about protected variables, any user can read/overwrite it (in the context of the pipeline).

To avoid breaking numerous pipelines, this should not apply for existing env variables but only when defining new ones.

Intended users

Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/

• Delaney (Development Team Lead)
• Devon (DevOps Engineer)

Proposal

For the existing admin setting Environment variables are protected by default, set the default to enabled by updating the protected_ci_variables field in ApplicationSetting to true by default.

Documentation

• Update Protect a custom variable

Links / references