Skip to main content

Issues

Issues list

When a control detects a violation in your project, Plumber creates an Issue. Each issue has a unique identifier following the format ISSUE-XXXX and is grouped by control.

All means the control applies to Plumber Platform and the Open Source CLI. Platform means Plumber Platform only (the Open Source CLI does not report this issue). CLI means the Open Source CLI reports this issue only (it is not enforced as a Platform control). See Compliance Controls for the full table.

Click any issue to see the full description, impact, before/after configuration examples, and remediation steps.

Severity

Impact if the issue is present and exploited, not likelihood. Plumber detects; you assess.

🔴 Critical — If exploited, immediate severe consequences: pipeline takeover, secrets leak, or supply chain compromise. Address as top priority.
🟠 High — Significantly weakens defenses. If exploited or triggered by human error, can lead to a serious incident or major compliance failure.
🟡 Medium — Degrades security hygiene. Does not directly expose the pipeline or repo, but creates conditions that may contribute to a future incident or error.
🔵 Low — No short-term security impact; deviation from best practices. Address in continuous improvement.

Fix duration

Rough effort to remediate. Your environment and process may differ.

🔴 Extended — More than 2 days to fix.
🟠 Long — 1 to 2 days to fix.
🟡 Medium — 1 to 4 hours to fix.
🔵 Quick — Less than 1 hour to fix.

CI/CD Container Images

ISSUE-101 Untrusted image source

All High Medium

ISSUE-103 Container image is not pinned by digest

CLI High Medium

ISSUE-102 Forbidden container image tag

All Medium Quick

CI/CD Variables

ISSUE-203 Pipeline enables CI debug trace

CLI Critical Quick

ISSUE-205 Job variable overrides controlled variable

ISSUE-201 Unprotected variable

Platform Medium Quick

ISSUE-202 Unmasked variable

Platform Medium Quick

ISSUE-204 Unsafe variable expansion

CLI Medium Medium

CI/CD Secrets

ISSUE-301 Secret leak in pipeline configuration

Platform Critical Quick

Pipeline Composition

ISSUE-410 Security job weakened

CLI Critical Quick

ISSUE-405 Missing required template

All High Medium

ISSUE-407 Invalid pipeline composition

Platform High Long

ISSUE-408 Missing required component

All High Medium

ISSUE-411 Unverified script execution

CLI High Medium

ISSUE-412 Docker-in-Docker service detected

CLI High Medium

ISSUE-413 Docker-in-Docker with insecure daemon configuration

ISSUE-401 Hardcoded job

All Medium Medium

ISSUE-404 Forbidden include version

All Medium Quick

ISSUE-406 Forbidden override of required template

All Medium Medium

ISSUE-409 Forbidden override of required component

All Medium Medium

ISSUE-403 Outdated template

Access and Authorization

ISSUE-501 Branch protection missing

All Critical Quick

ISSUE-502 Merge request approval rule is below the minimum level of approvals required

Platform High Quick

ISSUE-503 Merge request approval settings are not compliant

Platform High Quick

ISSUE-504 No merge request approval rule covering all protected branches

Platform High Quick

ISSUE-505 Branch protection configuration not compliant

ISSUE-506 Merge request settings are not compliant

Platform Medium Quick

ISSUE-507 Members' role quotas are not respected for projects

Platform Medium Medium

ISSUE-508 Members' role quotas are not respected for groups

Platform Medium Medium

Security Source

ISSUE-601 Missing security policy source on project

Platform Critical Quick

Issues status

An issue status can be:

Detected: The default state for a newly discovered issue.
In progress: A user started to work on fixing this issue.
Dismissed: A user has evaluated this issue and dismissed it. Dismissed issues are ignored if detected in subsequent analyses.
Fixed: The issue has been fixed or is no longer detected. If a fixed issue is reintroduced and detected again, its status is set back to Detected. An issue typically goes through the following lifecycle: