ISSUE-402 High Medium Pipeline Composition
Forbidden override of job
Control: Pipeline must not override template jobs · Config key: pipelineMustNotOverrideTemplateJobs
📋 What is this?
A CI/CD job coming from a template has been overridden in the project CI/CD configuration.
⚠️ Impact
Overriding a template's job may cause inconsistent or insecure pipeline configurations. For example, if your security scan job is overridden, untested code might be deployed.
🔧 How to fix
Remove job overrides from the project CI/CD configuration. If overrides are relevant, include them in the required template or create a new one.
✗ Before The template's security-scan job is overridden, bypassing the original implementation.
# .gitlab-ci.yml — ❌ Job from template overriddeninclude: - project: my-org/ci-templates ref: v2.1.0 file: /templates/security.yml
# Overrides the security-scan job defined in the templatesecurity-scan: script: - echo "Security scan disabled for speed" when: manual✓ After Template jobs run as designed. Customization is done via variables.
# .gitlab-ci.yml — ✅ Template job used without overrideinclude: - project: my-org/ci-templates ref: v2.1.0 file: /templates/security.yml
# No local overrides — template jobs run as designed# Use variables for customization:variables: SECURITY_SCAN_LEVEL: "high"💡 Tips
- If you need to customize a template job, contact the template owner to add configuration variables.
- Template jobs should be designed to accept configuration through environment variables.
- If the override is essential, create a fork of the template and use that instead.
⚙️ Configuration
This control is configured in .plumber.yaml under the key:
controls:
pipelineMustNotOverrideTemplateJobs:
enabled: trueSee the CLI documentation for the full configuration reference.