Compliance Controls
Plumber allows defining controls for GitLab projects, covering both CI/CD configuration and project settings. When a control is not respected, an issue is created.
Scope
- All: Plumber Platform and Open Source CLI
- Platform: Plumber Platform only
- CLI: Open Source CLI only (not a Platform control)
CI/CD Container Images
| Scope | Control | What it checks | Why it matters |
|---|---|---|---|
| All | Container images must come from authorized sources ISSUE-101 | Verifies that container images used to run your CI/CD pipelines come from authorized and trusted sources. | Helps mitigate security risks introduced by the use of malicious, compromised, or vulnerable images. |
| All | Container images must not use forbidden tags ISSUE-102 | Verifies that container images used to run your CI/CD pipelines rely on authorized tags. | Helps mitigate both security and functional risks introduced by the use of unverified, outdated, or compromised image versions. |
| CLI | Container images must be pinned by digest ISSUE-103 | Verifies that container images are referenced by their SHA256 digest rather than a mutable tag. | Prevents supply chain attacks where a tag is overwritten with a compromised image, guaranteeing exact image content in every pipeline run. |
CI/CD Variables
| Scope | Control | What it checks | Why it matters |
|---|---|---|---|
| Platform | CI/CD variables must be protected ISSUE-201 | Verifies that CI/CD variables used in a project have the protected field enabled. | Ensures sensitive values are restricted to protected branches or tags, reducing unauthorized exposure. |
| Platform | CI/CD variables must be masked ISSUE-202 | Verifies that CI/CD variables used in a project have the masked field enabled. | Prevents variable values from being exposed in pipeline logs, reducing the risk of leaks. |
| CLI | Pipeline must not enable debug trace ISSUE-203 | Verifies that CI_DEBUG_TRACE and CI_DEBUG_SERVICES are not enabled in the pipeline configuration. | Prevents exposure of all CI/CD variable values in job logs, including secrets and tokens. |
| CLI | Pipeline must not use unsafe variable expansion ISSUE-204 | Detects user-controlled CI variables expanded in shell re-interpretation contexts (eval, sh -c, bash -c, source). | Prevents command injection via crafted branch names, MR titles, or commit messages (OWASP CICD-SEC-1). |
| CLI | Pipeline must not override job variables ISSUE-205 | Detects controlled CI/CD variables redefined in .gitlab-ci.yml that should only be set in GitLab CI/CD Settings. | Reduces risk of tampering with scanner settings or other governed variables via pipeline YAML. |
CI/CD Secrets
| Scope | Control | What it checks | Why it matters |
|---|---|---|---|
| Platform | Pipeline configuration must not contain secrets ISSUE-301 | Uses Gitleaks to verify that both merged and unmerged CI/CD configurations don’t have leaked secrets. | Prevents exposure of API keys, passwords, or tokens that could lead to unauthorized access. |
Pipeline Composition
| Scope | Control | What it checks | Why it matters |
|---|---|---|---|
| All | Pipelines must include templates ISSUE-405 ISSUE-406 | Verifies that the projects contain specific templates. This control can also allow overriding certain variables in the included templates. | Ensures pipelines comply with required security and compliance practices. |
| All | Pipelines must include components ISSUE-408 ISSUE-409 | Verifies that the projects contain specific GitLab components. This control can also allow overriding certain variables in the included components. | Ensures pipelines integrate mandatory security and compliance steps. |
| Platform | Pipeline must include required phases ISSUE-407 | Verifies that the CI/CD pipeline includes a group of job types. | Ensures completeness and compliance of the pipeline execution flow. |
| All | Pipeline must not contain hardcoded jobs ISSUE-401 | Verifies that no hardcoded job is used in CI/CD pipelines. | Improves maintainability and ensures compliance with best practices. |
| All | Pipeline must not use forbidden ref in includes ISSUE-404 | Verifies that the included refs are using specified tags. | Prevents reliance on insecure or non-compliant references. |
| All | Pipeline must use only up-to-date includes ISSUE-403 | Verifies that the included pipelines are up-to-date compared to their source. | Reduces risks from outdated or vulnerable templates. |
| CLI | Security jobs must not be weakened ISSUE-410 | Detects security scanning jobs (SAST, Secret Detection, Container Scanning, etc.) weakened by allow_failure: true, rules: overrides with when: never / when: manual, or when: manual at job level. | Prevents silently neutralized security scans that give a false sense of compliance (OWASP CICD-SEC-4). |
| CLI | Pipeline must not execute unverified scripts ISSUE-411 | Detects jobs that download and immediately execute scripts from the internet (curl | bash, wget | sh, download-then-execute) without integrity verification. | Prevents supply chain attacks where a compromised URL serves a modified script that exfiltrates secrets (OWASP CICD-SEC-3, CICD-SEC-8). |
| CLI | Pipeline must not use Docker-in-Docker ISSUE-412 ISSUE-413 | Detects Docker-in-Docker (docker:dind) services and insecure daemon configuration (for example plaintext Docker API). | Reduces container escape and lateral movement risk on shared runners; prefer Kaniko or Buildah for image builds. |
Access and Authorization
| Scope | Control | What it checks | Why it matters |
|---|---|---|---|
| All | Branch must be protected ISSUE-501 ISSUE-505 | Verifies that the project configuration respects the protection, push, merge and owner approval on included branch names. | Prevents unauthorized modifications and enforces branch protection standards. |
| Platform | MR approval rules must have at least N approval required ISSUE-502 | Verifies that the project merge request approval rules that cover all protected branches have a minimum number of approval requirements. | Prevents unreviewed code from being merged, reducing security risks. |
| Platform | MR approval settings must be compliant ISSUE-503 | Verifies that MR approval settings are properly configured. | Ensures compliance with review and security requirements. |
| Platform | An MR approval rule must be defined to cover all protected branches ISSUE-504 | Verifies that the protected branches have at least one approval rule. | Ensures protected branches cannot bypass review processes. |
| Platform | MR settings must be compliant ISSUE-506 | Verifies that the project’s merge request settings are correct in terms of merge method, resolving differences, squashing, etc. | Reduces risk of unauthorized or insecure code changes. |
| Platform | Number of project members must respect a quota ISSUE-507 | Verifies that the project configuration respects the owner, maintainer and developer quotas. | Prevents uncontrolled access that could weaken project security. |
| Platform | Number of group members must respect a quota ISSUE-508 | Verifies that the group configuration respects the owner, maintainer and developer quotas. | Prevents uncontrolled access at group level, strengthening governance. |
Security Source
| Scope | Control | What it checks | Why it matters |
|---|---|---|---|
| Platform | Project must have a security policy source ISSUE-601 | Verifies if the projects have a specific project as their source of security policy. | Ensures compliance with security policy and reduces risk of unmanaged vulnerabilities. |