Plumber allows defining controls for GitLab projects, covering both CI/CD configuration and project settings. When a control is not respected, an issue is created.
| Control | Problem | Impact |
|---|
| Containers images must come from authorized sources | Verifies that container images used to run your CI/CD pipelines come from authorized and trusted sources. | Helps mitigate security risks introduced by the use of malicious, compromised, or vulnerable images. |
| Container images must not use forbidden tags | Verifies that container images used to run your CI/CD pipelines rely on authorized tags. | Helps mitigate both security and functional risks introduced by the use of unverified, outdated, or compromised image versions. |
| Control | Problem | Impact |
|---|
| CI/CD variables must be protected | Verifies that CI/CD variables used in a project have the protected field enabled. | Ensures sensitive values are restricted to protected branches or tags, reducing unauthorized exposure. |
| CI/CD variables must be masked | Verifies that CI/CD variables used in a project have the masked field enabled. | Prevents variable values from being exposed in pipeline logs, reducing the risk of leaks. |
| Control | Problem | Impact |
|---|
| Pipeline configuration must not contain secrets | Uses Gitleaks to verify that both merged and unmerged CI/CD configurations don’t have leaked secrets. | Prevents exposure of API keys, passwords, or tokens that could lead to unauthorized access. |
| Control | Problem | Impact |
|---|
| Pipelines must include templates | Verifies that the projects contain specific templates. This control can also allow overriding certain variables in the included templates. | Ensures pipelines comply with required security and compliance practices. |
| Pipelines must include components | Verifies that the projects contain specific GitLab components. This control can also allow overriding certain variables in the included components. | Ensures pipelines integrate mandatory security and compliance steps. |
| Pipeline must include required phases | Verifies that the CI/CD pipeline includes a group of job types. | Ensures completeness and compliance of the pipeline execution flow. |
| Pipeline must not contain hardcoded jobs | Verifies that no hardcoded job is used in CI/CD pipelines. | Improves maintainability and ensures compliance with best practices. |
| Pipeline must not use forbidden ref in includes | Verifies that the included refs are using specified tags. | Prevents reliance on insecure or non-compliant references. |
| Pipeline must use only up-to-date includes | Verifies that the included pipelines are up-to-date compared to their source. | Reduces risks from outdated or vulnerable templates. |
| Control | Problem | Impact |
|---|
| Branch must be protected | Verifies that the project configuration respects the protection, push, merge and owner approval on included branch names. | Prevents unauthorized modifications and enforces branch protection standards. |
| MR approval rules must have at least N approval required | Verifies that the project merge request approval rules that cover all protected branches have a minimum number of approval requirements. | Prevents unreviewed code from being merged, reducing security risks. |
| MR approval settings must be compliant | Verifies that MR approval settings are properly configured. | Ensures compliance with review and security requirements. |
| An MR approval rule must be defined to cover all protected branches | Verifies that the protected branches have at least one approval rule. | Ensures protected branches cannot bypass review processes. |
| Number of project members must respect a quota | Verifies that the project configuration respects the owner, maintainer and developer quotas. | Prevents uncontrolled access that could weaken project security. |
| Number of group members must respect a quota | Verifies that the group configuration respects the owner, maintainer and developer quotas. | Prevents uncontrolled access at group level, strengthening governance. |
| MR settings must be compliant | Verifies that the project’s merge request settings are correct in terms of merge method, resolving differences, squashing, etc. | Reduces risk of unauthorized or insecure code changes. |
| Control | Problem | Impact |
|---|
| Project must have a security policy source | Verifies if the projects have a specific project as their source of security policy. | Ensures compliance with security policy and reduces risk of unmanaged vulnerabilities. |
