Open Source compliance CLI
for GitLab CI/CD & GitHub Actions

Analyze your GitLab CI/CD pipelines and GitHub Actions workflows for security and compliance: pipeline composition (templates, components, pinned action SHAs), container images (mutable tags, trusted registries), dangerous triggers and permissions, and branch protection settings.

View on GitHub CLI Documentation

.gitlab-ci.yml

How it works

Plumber scans your GitLab CI/CD configuration GitHub Actions workflows

Analyze your pipelines for security and compliance issues with automated checks. Analyze your workflows for security and compliance issues with automated checks.

.gitlab-ci.yml

1 include:

2 ## Security scanning

3 - component: gitlab.com/components/secret-detection/secret-detection@~main mutable

4 - component: gitlab.com/components/sast/sast@0.0.1 outdated

5 - component: random-gitlab.com/components/dast@1.3.4 untrusted

6 install-deps:

7 image: node:latest mutable

8 variables:

9 DAST_DISABLED: "false" overridden

10 allow_failure: true

11 rules:

12 - when: never weakened

.github/workflows/ci.yml

1 on:

2 ## External-contributor trigger

3 - pull_request_target dangerous

4 permissions: write-all write-all

5 jobs:

6 build:

7 env:

8 ACTIONS_STEP_DEBUG: "true" debug

9 steps:

10 - uses: tj-actions/changed-files@main mutable

11 - uses: archived-org/setup@v1 archived

12 - run: echo "${{ github.event.title }}" injection

Your .gitlab-ci.yml Your GitHub Actions workflow

with compliance issues

Plumber CLI

scans & analyzes

.gitlab-ci.yml

1 include:

2 ## Security scanning

3 - component: gitlab.com/components/secret-detection/secret-detection@2.3.4 pinned

4 - component: gitlab.com/components/sast/sast@3.3.4 updated

5 - component: gitlab.com/components/dast@1.3.4 trusted

6 install-deps:

7 image: node:22@sha256:8f3e2a1b9c0d7e6f5a4b3c2d… pinned

8 allow_failure: false strict

9 rules:

10 - when: always runs

.github/workflows/ci.yml

1 on:

2 ## Safe trigger

3 - pull_request safe

4 permissions:

5 contents: read least-priv

6 jobs:

7 build:

8 steps:

9 - uses: actions/checkout@a1b2c3d4e5f6a7b8c9d0… pinned

10 - env: TITLE: ${{ github.event.title }} bound

11 run: echo "$TITLE" safe

Compliant & secure

audit-ready pipeline audit-ready workflow

Each scan applies policy checks across your pipeline. Here is what Plumber controls.

Pipeline composition

Detects hardcoded jobs in the .gitlab-ci.yml and verifies that all required template and component modules are included, up to date and do not follow unauthorized patterns (latest, main, etc.) Detects unpinned and risky steps in .github/workflows/*.yml and verifies that third-party actions are pinned by commit SHA, not archived, and free of known CVEs.

CI/CD container images

Detects container images using mutable tags that can change unexpectedly. Ensures images come from trusted registries only.

Access and authorization

Verifies that critical branches have proper protection settings.

See all controls

Runners, caches, artifacts, and many other checks beyond these three. The documentation lists the full catalog and how each control maps to issue codes.

Open the controls guide

Quick Start

Get started in minutes

Set up Plumber in your GitLab CI/CD pipeline or GitHub Actions workflow with just a few simple steps.

Set up Plumber in your repository

Add the Plumber component to your GitLab pipeline (or call the CLI from your GitHub Actions workflow) and configure controls (registries, action pinning, branch protection, etc.).