Open Source compliance CLI
for GitLab CI/CD

Analyze your GitLab CI/CD pipelines for security and compliance: pipeline composition (templates, components, version constraints), container images (mutable tags, trusted registries), and branch protection settings.

View on GitHub CLI Documentation
.gitlab-ci.yml

How it works

Plumber scans your GitLab CI/CD configuration

Analyze your pipelines for security and compliance issues with automated checks.

1
.gitlab-ci.yml
1 include:
2 ## Security scanning
3 - component: gitlab.com/components/secret-detection/secret-detection@~main mutable
4 - component: gitlab.com/components/sast/sast@0.0.1 outdated
5 - component: random-gitlab.com/components/dast@1.3.4 untrusted
6 install-deps:
7 image: node:latest mutable
8 variables:
9 DAST_DISABLED: "false" overridden
10 allow_failure: true
11 rules:
12 - when: never weakened

Your .gitlab-ci.yml

with compliance issues

2

Plumber CLI

scans & analyzes

3
.gitlab-ci.yml
1 include:
2 ## Security scanning
3 - component: gitlab.com/components/secret-detection/secret-detection@2.3.4 pinned
4 - component: gitlab.com/components/sast/sast@3.3.4 updated
5 - component: gitlab.com/components/dast@1.3.4 trusted
6 install-deps:
7 image: node:22@sha256:8f3e2a1b9c0d7e6f5a4b3c2d… pinned
8 allow_failure: false strict
9 rules:
10 - when: always runs

Compliant & secure

audit-ready pipeline

Each scan applies policy checks across your pipeline. Here is what Plumber controls.

Pipeline composition

Detects hardcoded jobs in the .gitlab-ci.yml and verifies that all required template and component modules are included, up to date and do not follow unauthorized patterns (latest, main, etc.)

CI/CD container images

Detects container images using mutable tags that can change unexpectedly. Ensures images come from trusted registries only.

Access and authorization

Verifies that critical branches have proper protection settings.

See all controls

Runners, caches, artifacts, and many other checks beyond these three. The documentation lists the full catalog and how each control maps to issue codes.

Open the controls guide

Quick Start

Get started in minutes

Set up Plumber in your GitLab CI/CD pipeline with just a few simple steps.

Setup Plumber in your GitLab project

Add the Plumber component to your pipeline and configure controls (registries, branch protection, etc.).

Run your CI/CD pipeline

Plumber runs as part of your pipeline and scans your CI configuration and job definitions.

Get your compliance report

View results in the job output or download the report artifact for audit and remediation.

View CLI Documentation