ISSUE-406 High Medium Pipeline Composition
Forbidden override of required template
Control: Pipelines must include templates · Config key: pipelineMustIncludeTemplate
📋 What is this?
A required CI/CD template, as defined in your Policy controls, has been overridden in the project pipeline.
⚠️ Impact
Overriding required templates can lead to non-compliant and insecure pipelines. For example, overriding a SAST template might bypass mandatory checks.
🔧 How to fix
Remove overrides from the project CI/CD configuration. If overrides are relevant, include them in the required template or create a new one.
✗ Before The template's security-scan job is overridden and made manual.
# .gitlab-ci.yml — ❌ Overrides required template jobinclude: - project: my-org/ci-templates ref: v2.1.0 file: /templates/security.yml
# Overrides the security-scan job from the templatesecurity-scan: script: - echo "Security scan disabled for speed" when: manual✓ After Template jobs run as designed, configuration via variables.
# .gitlab-ci.yml — ✅ Template included without overridesinclude: - project: my-org/ci-templates ref: v2.1.0 file: /templates/security.yml
# No local overrides — template jobs run as designed# Use variables for customization:variables: SECURITY_SCAN_LEVEL: "high"💡 Tips
- Design templates with configurable variables so teams don't need to override jobs.
- Plumber shows exactly which job keys are overridden in the issue details.
- Consider making critical template jobs non-overridable by design.
⚙️ Configuration
This control is configured in .plumber.yaml under the key:
controls:
pipelineMustIncludeTemplate:
enabled: trueSee the CLI documentation for the full configuration reference.