Include verbiage around supply chain attacks

5361e31a · Tim Poffenbarger · Nick Gaskill · ab1e5eb4 · 5361e31a
Commit 5361e31a authored Apr 30, 2021 by Tim Poffenbarger Committed by Nick Gaskill Apr 30, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 2 deletions

doc/ci/variables/README.md doc/ci/variables/README.md +9 -2

No files found.
--- a/doc/ci/variables/README.md
+++ b/doc/ci/variables/README.md
@@ -603,11 +603,18 @@ to enable the `restrict_user_defined_variables` setting. The setting is `disable

 ## Limit the environment scope of a CI/CD variable

-You can limit the environment scope of a variable by
-[defining which environments](../environments/index.md) it can be available for.
+By default, all CI/CD variables are available to any job in a pipeline. Therefore, if a project uses a
+compromised tool in a test job, it could expose all CI/CD variables that a deployment job used. This is
+a common scenario in supply chain attacks. GitLab helps mitigate supply chain attacks by limiting
+the environment scope of a variable. GitLab does this by
+[defining which environments and corresponding jobs](../environments/index.md)
+the variable can be available for.

 To learn more about scoping environments, see [Scoping environments with specs](../environments/index.md#scoping-environments-with-specs).

+To learn more about ensuring CI/CD variables are only exposed in pipelines running from protected
+branches or tags, see [Protect a CI/CD Variable](#protect-a-cicd-variable).
+
 ## Deployment variables

 Integrations that are responsible for deployment configuration can define their own