GitLab Pipeline Trigger Token

Name: GitLab Pipeline Trigger Token
Creator: TestPattern Community
License: https://opensource.org/licenses/MIT

Detects GitLab pipeline trigger tokens (glptt- prefix). These tokens let external systems start CI/CD pipelines via the trigger API; a leak allows unauthorized pipeline execution.

Type: regex
Engine: universal
Confidence: high
Confidence justification: High confidence: the distinctive glptt- prefix with a fixed 40-character hex body makes false positives extremely unlikely.
Jurisdictions: global
Regulations: Criminal Code Act 1995 (Cth), Computer Fraud and Abuse Act, Computer Misuse Act 1990
Frameworks: CIS Controls, ISO 27001, NIST CSF, SOC 2
Data categories: credentials, security
Scope: narrow
Risk rating: 8
Platform compatibility: Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported

Pattern

(?<![A-Za-z0-9_-])glptt-[0-9a-f]{40}(?![A-Za-z0-9_-])

Corroborative evidence keywords

gitlab, pipeline trigger, trigger token, CI/CD, trigger pipeline

Proximity: 300 characters

Should match

glptt-0123456789abcdef0123456789abcdef01234567 — GitLab pipeline trigger token, glptt- prefix + 40 hex
TRIGGER_TOKEN=glptt-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa — Labelled pipeline trigger token in env var
glptt-deadbeefdeadbeefdeadbeefdeadbeefdeadbeef — Pipeline trigger token with hex body

Should not match

glptt-0123456789abcdef — Too short to be a pipeline trigger token
glpat-ABCDEFGHIJ1234567890 — GitLab PAT prefix, not a pipeline trigger token
regenerate the gitlab pipeline trigger token in settings — Prose mention without a token value

Known false positives

40-char hex digests (e.g. SHA-1) accidentally prefixed with glptt- in documentation. Mitigation: Require corroborative GitLab CI/CD keywords and exclude placeholder markers.