ISSUE-101 Critical Medium CI/CD Container Images
Untrusted image source
Control: Container images must come from authorized sources · Config key: containerImageMustComeFromAuthorizedSources
📋 What is this?
The origin of a container image you are using to run your CI/CD is not trusted, posing a security risk.
⚠️ Impact
Untrusted image sources can introduce malicious code into your pipeline. For instance, a malicious image can steal your API tokens, your source code, and even alter it.
🔧 How to fix
Replace the container image with an image coming from a source declared as trusted in your Policy controls.
✗ Before Images from unknown registries could be compromised.
# .gitlab-ci.yml — ❌ Images from untrusted registriessecurity-scan: image: untrusted-registry.example.com/scanner:2.0 script: - scan --project .
sast: image: attacker-registry.example.com/malicious/sast:latest script: - sast-scan .✓ After Only images from trusted registries should be used.
# .gitlab-ci.yml — ✅ Images from authorized registriessecurity-scan: image: registry.gitlab.com/security-products/secrets:7 script: - scan --project .
sast: image: $CI_REGISTRY_IMAGE/custom-sast:1.2.0 script: - sast-scan .
# .plumber.yaml — Authorized sources configuration# containerImageMustComeFromAuthorizedSources:# enabled: true# trustDockerHubOfficialImages: true# trustedUrls:# - registry.gitlab.com/security-products/*# - $CI_REGISTRY_IMAGE:*# - $CI_REGISTRY_IMAGE/*💡 Tips
- Enable
trustDockerHubOfficialImages: trueto allow official Docker Hub images (e.g.,python,node). - Use wildcard patterns in
trustedUrls(e.g.,gcr.io/your-org/*). - Consider setting up a private registry mirror for external images.
⚙️ Configuration
This control is configured in .plumber.yaml under the key:
controls:
containerImageMustComeFromAuthorizedSources:
enabled: trueSee the CLI documentation for the full configuration reference.