ISSUE-408 High Medium Pipeline Composition
Missing required component
Control: Pipelines must include components · Config key: pipelineMustIncludeComponent
📋 What is this?
A required GitLab catalog component, as defined in your Policy controls, is missing in the project pipeline.
⚠️ Impact
Missing components result in non-compliant and insecure pipeline configurations. For example, if your pipeline is missing a security scan component, vulnerabilities might go undetected.
🔧 How to fix
Include the missing GitLab catalog component in the CI/CD pipeline configuration of the project.
✗ Before The SAST component is required but missing from the pipeline.
# .gitlab-ci.yml — ❌ Missing required SAST componentinclude: - component: gitlab.com/components/secret-detection/secret-detection@2.4.1 # Missing: gitlab.com/components/sast/sast (required by policy)
# .plumber.yaml — Requires both SAST and secret detection# pipelineMustIncludeComponent:# enabled: true# required: components/sast/sast AND components/secret-detection/secret-detection✓ After Both required components are included.
# .gitlab-ci.yml — ✅ All required components includedinclude: - component: gitlab.com/components/sast/sast@1.5.2 - component: gitlab.com/components/secret-detection/secret-detection@2.4.1💡 Tips
- Use expression syntax (
AND/OR) inrequiredfor complex rules:(sast AND secret-detection) OR full-security. - Alternatively, use
requiredGroupswith arrays for OR-of-ANDs logic. - The
includemust match the component path pattern — check your.plumber.yamlfor the exact paths.
⚙️ Configuration
This control is configured in .plumber.yaml under the key:
controls:
pipelineMustIncludeComponent:
enabled: trueSee the CLI documentation for the full configuration reference.