ISSUE-404 Medium Quick Pipeline Composition
Forbidden include version
Control: Pipeline must not use forbidden ref in includes · Config key: includesMustNotUseForbiddenVersions
📋 What is this?
A CI/CD template in your pipeline is included using a version that is forbidden by your configuration.
⚠️ Impact
Using forbidden tags can result in insecure templates running in your CI/CD pipelines or unexpected breaking changes. For instance, if you include a template using the main version (default branch of the source repository), it might pull a compromised, untested, or breaking template.
🔧 How to fix
Update the template include version to a version allowed by your Policy controls.
✗ Before `latest`, `main`, and `HEAD` are mutable and forbidden.
# .gitlab-ci.yml — ❌ Uses forbidden version referencesinclude: - component: gitlab.com/components/sast/sast@latest
- project: my-org/ci-templates ref: main file: /templates/security.yml
- component: gitlab.com/my-org/custom-scanner/scan@HEAD✓ After Specific version tags ensure reproducible pipelines.
# .gitlab-ci.yml — ✅ Uses specific version tagsinclude: - component: gitlab.com/components/sast/sast@1.5.2
- project: my-org/ci-templates ref: v2.1.0 file: /templates/security.yml
- component: gitlab.com/my-org/custom-scanner/scan@3.0.1💡 Tips
- Configure forbidden version patterns in
.plumber.yamlunderincludesMustNotUseForbiddenVersions.forbiddenVersions. - Default forbidden versions:
latest,~latest,main,master,HEAD. - Set
defaultBranchIsForbiddenVersion: trueto also forbid using the project's default branch name.
⚙️ Configuration
This control is configured in .plumber.yaml under the key:
controls:
includesMustNotUseForbiddenVersions:
enabled: trueSee the CLI documentation for the full configuration reference.