ISSUE-401 Medium Medium Pipeline Composition
Hardcoded job
Control: Pipeline must not contain hardcoded jobs · Config key: pipelineMustNotIncludeHardcodedJobs
📋 What is this?
A job in the pipeline configuration is hardcoded, increasing maintainability costs and introducing a compliance risk.
⚠️ Impact
Hardcoded jobs make pipelines harder to maintain and adapt to changes. Moreover, they introduce a risk of being non-compliant with the organization's standards. For instance, if your security check job is hardcoded, you might miss the organization's security standards checks.
🔧 How to fix
Replace the hardcoded job in the project CI/CD configuration with a template or component inclusion.
✗ Before All jobs are hardcoded — no reuse, no governance.
# .gitlab-ci.yml — ❌ Jobs defined directly (hardcoded)stages: - test - build - deploy
test: stage: test image: python:3.12 script: - pip install pytest - pytest tests/
build: stage: build image: docker:27 script: - docker build -t $CI_REGISTRY_IMAGE . - docker push $CI_REGISTRY_IMAGE✓ After Jobs come from versioned components and templates.
# .gitlab-ci.yml — ✅ Jobs from CI/CD components and includesinclude: # CI/CD Component from the catalog - component: gitlab.com/components/sast/sast@1.2.0 # Shared template from another project - project: my-org/ci-templates ref: v2.1.0 file: /templates/docker-build.yml
stages: - test - build - deploy
# Only project-specific configuration remainsvariables: DOCKER_IMAGE_NAME: my-app💡 Tips
- Browse the [GitLab CI/CD Catalog](https://gitlab.com/explore/catalog) for reusable components.
- Create shared templates in a dedicated project for organization-specific jobs.
- Some project-specific jobs may be acceptable — discuss with your team what should be centralized.
⚙️ Configuration
This control is configured in .plumber.yaml under the key:
controls:
pipelineMustNotIncludeHardcodedJobs:
enabled: trueSee the CLI documentation for the full configuration reference.