Project-level secure files

Tier: Free, Premium, Ultimate
Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

Version history

Generally available and feature flag ci_secure_files removed in GitLab 15.7.

This feature is part of Mobile DevOps. The feature is still in development, but you can:

You can securely store up to 100 files for use in CI/CD pipelines as secure files. These files are stored securely outside of your project's repository and are not version controlled. It is safe to store sensitive information in these files. Secure files support both plain text and binary file types but must be 5 MB or less.

You can manage secure files in the project settings, or with the secure files API.

Secure files can be downloaded and used by CI/CD jobs by using the download-secure-files tool.

Add a secure file to a project

To add a secure file to a project:

On the left sidebar, select Search or go to and find your project.
Select Settings > CI/CD.
Expand the Secure Files section.
Select Upload File.
Find the file to upload, select Open, and the file upload begins immediately. The file shows up in the list when the upload is complete.

Use secure files in CI/CD jobs

With the `download-secure-files` tool

To use your secure files in a CI/CD job, you can use the download-secure-files tool to download the files in the job. After they are downloaded, you can use them with your other script commands.

Add a command in the script section of your job to download the download-secure-files tool and execute it. The files download into a .secure_files directory in the root of the project. To change the download location for the secure files, set the path in the SECURE_FILES_DOWNLOAD_PATH CI/CD variable.

For example:

test:
  variables:
    SECURE_FILES_DOWNLOAD_PATH: './where/files/should/go/'
  script:
    - curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" | bash

The content of files loaded with the download-secure-files tool are not masked in the job log output. Make sure to avoid outputting secure file contents in the job log, especially when logging output that could contain sensitive information.

With the `glab` tool

To download one or more secure files with glab, you can use the cli Docker image in the CI/CD job. For example:

test:
  image: registry.gitlab.com/gitlab-org/cli:latest
  script:
    - export GITLAB_HOST=$CI_SERVER_URL
    - glab auth login --job-token $CI_JOB_TOKEN --hostname $CI_SERVER_FQDN --api-protocol $CI_SERVER_PROTOCOL
    - glab -R $CI_PROJECT_PATH securefile download $SECURE_FILE_ID --path="where/to/save/file.txt"

The SECURE_FILE_ID CI/CD variable needs to passed to the job explicitly, for example in CI/CD settings or when running a pipeline manually. Every other variable is a predefined variable that is automatically available.

Alternatively, instead of using the Docker image, you can download the binary. and use it in your CI/CD job.

Security details

Project-level Secure Files are encrypted on upload using the Lockbox Ruby gem by using the Ci::SecureFileUploader interface. This interface generates a SHA256 checksum of the source file during upload that is persisted with the record in the database so it can be used to verify the contents of the file when downloaded.

A unique encryption key is generated for each file when it is created and persisted in the database. The encrypted uploaded files are stored in either local storage or object storage depending on the GitLab instance configuration.

Individual files can be retrieved with the secure files download API. Metadata can be retrieved with the list or show API endpoints. Files can also be retrieved with the download-secure-files tool. This tool automatically verifies the checksum of each file as it is downloaded.

Any project member with at least the Developer role can access Project-level secure files. Interactions with Project-level secure files are not included in audit events, but issue 117 proposes adding this functionality.