[SOLVED] What are the security risks of using Gitlab CI shared test runners?

What are the security risks of using Gitlab CI shared test runners?

I am trying to host a new project with Gitlab. It is a private Python project. I was able to test some initial tests with Gitlab CI.

I don't use cache while running tests,

While exploring the runner section in settings, there is a warning shown,

GitLab Runners do not offer secure isolation between projects that they do builds for. You are TRUSTING all GitLab users who can push code to project A, B or C to run shell scripts on the machine hosting runner X.

what are the security risks in using a shared test runner? Is it safe to run private projects on a shared runner? What precautions can be taken while running tests on a shared runner?

Thank you for any insight.

Solution

GitLab CI runner offers the following executor types:

shell
docker
ssh
docker-ssh
parallels
virtualbox

The security concerns you should have are mainly from using ssh and shell runners.

shell is unsafe unless you're in a controlled environment.
This is because it's, literally, a simple shell. The user running your build will have access to everything else going on for that user, and that includes other projects.
ssh is susceptible to man-in-the-middle attacks.
If you're dealing with private crypto keys in your builds, beware that they may be stolen.

Fortunately, http://gitlab.com seems to be sharing only docker runners.
docker runners are generally safe* because every build runs in a new container, so there's nothing to worry.

You can read further about GitLab CI Runner security here.

_{* unless you're doing the nasty privileged mode!}