## Executive Summary Enable customers to securely store and manage secrets natively within GitLab, reducing reliance on third-party tools and eliminating insecure practices like storing secrets in CI variables. ## Delivery goals Our GA capability will include: - **Group-level secret storage** - **Project-level secret storage** - **Ability to create/edit/delete a secret.** - **Inject secret into CI Job** - **Limit secret application to environment or branch.** - **Send rotation reminders** - **Provide ability to set permissions including designated roles/groups/specific users at the project level.** - **Proper backend encryption for secrets at rest.** - **Segregation for multi-tenant to ensure privacy.** - **Namespacing secrets available by default for group and project secrets** - [**Audit Events**](https://docs.gitlab.com/user/compliance/audit_event_types/#secrets-management) - **Support for GitLab.com, Self-Managed (helm), and Dedicated** - [**Packaging and Pricing**](https://gitlab.com/groups/gitlab-org/-/work_items/21254) Out of scope: * Set an expiration for a secret. * Automatic secret rotation (manual rotation reminders only) * Dynamic secrets (only static secrets supported) * Instance-level secrets * Runtime secrets with External Secret Operator * Secret versioning/history (roadmap item for post-GA) * Advanced audit logging (basic audit events included, advanced features post-GA) * Self-managed (omnibus) ## Timeline & Milestones * **Closed Beta Launch: FY26Q4 (Feb-March 2026)** * **Open Beta Launch: FY27Q2 (May 2026)** * **GA Target: FY27Q2 (July 2026)** ## Target Metrics and Success Criteria * Business and Product * Convert 1 beta participant into GA Customer * 2 design partners to adopt at GA or Post-GA * Performance and Quality Metrics * Availability: 99.9% * Error rate: * Latency: ## Acceptance Criteria ### Feature completeness * All delivery goals implemented and tested :hourglass_flowing_sand: * Packaging restrictions enforced correctly :hourglass_flowing_sand: * Performance benchmarks established :hourglass_flowing_sand: ### Security and compliance * Threat model complete :hourglass_flowing_sand: * Penetration testing passed with no critical findings :white_check_mark: ### Operational readiness * Monitoring and alerts configured :hourglass_flowing_sand: * Runbooks for on-call established :hourglass_flowing_sand: * Support team readiness complete :hourglass_flowing_sand: ## GTM and Packaging * In refinement ## Rollout strategy * In refinement https://gitlab.com/groups/gitlab-org/-/work_items/20758+ * Dependent on Fulfillment Planning #### Dependencies - Cross-team dependencies tracked here: https://docs.google.com/document/d/1k6swABYMITI5H8_L8PLNt5psXdPSBA1oDAm1O8XgLSc/edit?tab=t.0#heading=h.z6fiuct8k1jp #### DRIs - **PM**: @jrandazzo - **EM**: @mmishaev - **UX/PDM**: @jtouchstone1 - **Group(s)**: ~"group::pipeline security" - **Engineering Owner**: @mmishaev