Open Source compliance CLI
for GitLab CI/CD & GitHub Actions

GitLab GitHub

Plumber is an open-source CLI and platform that audits GitLab CI/CD pipelines and GitHub Actions workflows for security and compliance. See how it works

View on GitHub CLI Documentation
.gitlab-ci.yml

How it works

Plumber scans your GitLab CI/CD configuration GitHub Actions workflows

Analyze your pipelines for security and compliance issues with automated checks. Analyze your workflows for security and compliance issues with automated checks.

1
.gitlab-ci.yml
1 include:
2 ## Security scanning
3 - component: gitlab.com/components/secret-detection/secret-detection@~main mutable
4 - component: gitlab.com/components/sast/sast@0.0.1 outdated
5 - component: random-gitlab.com/components/dast@1.3.4 untrusted
6 install-deps:
7 image: node:latest mutable
8 variables:
9 DAST_DISABLED: "false" overridden
10 allow_failure: true
11 rules:
12 - when: never weakened
.github/workflows/ci.yml
1 on:
2 ## External-contributor trigger
3 - pull_request_target dangerous
4 permissions: write-all write-all
5 jobs:
6 build:
7 env:
8 ACTIONS_STEP_DEBUG: "true" debug
9 steps:
10 - uses: tj-actions/changed-files@main mutable
11 - uses: archived-org/setup@v1 archived
12 - run: echo "${{ github.event.title }}" injection

Your .gitlab-ci.yml Your GitHub Actions workflow

with compliance issues

2

Plumber CLI

scans & analyzes

3
.gitlab-ci.yml
1 include:
2 ## Security scanning
3 - component: gitlab.com/components/secret-detection/secret-detection@2.3.4 pinned
4 - component: gitlab.com/components/sast/sast@3.3.4 updated
5 - component: gitlab.com/components/dast@1.3.4 trusted
6 install-deps:
7 image: node:22@sha256:8f3e2a1b9c0d7e6f5a4b3c2d… pinned
8 allow_failure: false strict
9 rules:
10 - when: always runs
.github/workflows/ci.yml
1 on:
2 ## Safe trigger
3 - pull_request safe
4 permissions:
5 contents: read least-priv
6 jobs:
7 build:
8 steps:
9 - uses: actions/checkout@a1b2c3d4e5f6a7b8c9d0… pinned
10 - env: TITLE: ${{ github.event.title }} bound
11 run: echo "$TITLE" safe

Compliant & secure

audit-ready pipeline audit-ready workflow

Each scan applies policy checks across your pipeline. Here is what Plumber controls.

Pipeline composition

Detects hardcoded jobs in the .gitlab-ci.yml and verifies that all required template and component modules are included, up to date and do not follow unauthorized patterns (latest, main, etc.) Detects unpinned and risky steps in .github/workflows/*.yml and verifies that third-party actions are pinned by commit SHA, not archived, and free of known CVEs.

CI/CD container images

Detects container images using mutable tags that can change unexpectedly. Ensures images come from trusted registries only.

Access and authorization

Verifies that critical branches have proper protection settings.

See all controls

Runners, caches, artifacts, and many other checks beyond these three. The documentation lists the full catalog and how each control maps to issue codes.

Open the controls guide

Quick Start

Get started in minutes

Set up Plumber in your GitLab CI/CD pipeline or GitHub Actions workflow with just a few simple steps.

Set up Plumber in your repository

Add the Plumber component to your GitLab pipeline (or call the CLI from your GitHub Actions workflow) and configure controls (registries, action pinning, branch protection, etc.).

Run your CI/CD pipeline

Plumber runs as part of your pipeline and scans your CI configuration and job or workflow definitions.

Get your compliance report

View results in the job output or download the report artifact for audit and remediation.

Platform guides

Get started with GitLab CI component, controls, and GitLab-specific setup Get started with GitHub Workflow scanning, auth, and GitHub controls

Plumber Radar

See what's actually shipping in open source CI/CD

We point the open-source Plumber CLI at hundreds of popular public GitLab projects, aggregate the results, and publish them live.

  • 200+ Projects scanned
  • 13 Compliance controls
  • A-E Nutri-style grades
Open Plumber Radar Scan a public project
getplumber.io/radar
Live Plumber Radar gitlab.com
Avg score B 79.1 / 100
Findings 4,356 715 high+
Recent scans sorted by score
  • 96%
  • 84%
  • 71%
  • 53%
  • 32%

FAQ

Frequently asked questions

What is Plumber?

Plumber is an open-source CLI and compliance platform that audits GitLab CI/CD pipelines and GitHub Actions workflows for security and compliance issues. It checks pipeline composition, container images, triggers, permissions, and branch protection against a policy file, and produces a letter-grade report (A–E) with documented remediation for every issue found.

Is Plumber free and open source?

Yes. The Plumber CLI is open source and free to use — the code lives on GitHub. For teams that need continuous monitoring, drift detection, and audit-ready reporting across many projects, there is also the Plumber Platform.

How do I check my GitLab CI/CD pipelines for compliance?

Install the Plumber CLI (Homebrew, mise, Docker, or prebuilt binary), point it at your repository, and it scans your .gitlab-ci.yml and project settings against a catalog of compliance controls. You get a letter grade and a list of issues with step-by-step remediation guides.

Does Plumber support GitHub Actions?

Yes. The same CLI scans GitHub Actions workflows with the same policy file and shared controls: pinned action SHAs, least-privilege permissions, dangerous triggers, mutable image tags, and more. There is also a drop-in GitHub Action with SARIF upload for Code Scanning.

What is CI/CD compliance?

CI/CD compliance means your build and deployment pipelines follow the security controls your organization or regulators require — for example pinned dependencies, trusted container registries, least-privilege tokens, and protected branches. It is a growing requirement of frameworks like ISO 27001, NIS2, DORA, and SOC 2, because pipelines hold secrets and ship code to production.

How is Plumber different from a manual pipeline audit?

A manual audit is a snapshot that goes stale as soon as a pipeline changes. Plumber encodes the same checks as policy, so every scan is reproducible, runs in CI on every change, and catches drift continuously — instead of once a year before the audit.