Forbidden override of required component
Control: Pipelines must include components · Config key: pipelineMustIncludeComponent
📋 What is this?
A required GitLab catalog component, as defined in your Policy controls, has been overridden in the project pipeline. The following CI/CD keywords are detected as overrides: after_script, allow_failure, artifacts, before_script, cache, coverage, dast_configuration, dependencies, environment, identity, image, inherit, interruptible, manual_confirmation, needs, pages, parallel, release, resource_group, retry, rules, script, secrets, services, stage, tags, timeout, trigger, when.
⚠️ Impact
Overriding required components can lead to non-compliant and insecure pipelines. For example, overriding a security scan component might bypass mandatory security checks.
🔧 How to fix
Remove overrides from the project CI/CD configuration. If overrides are relevant, include them in the required component or create a new one.
# .gitlab-ci.yml — ❌ Overrides the SAST component's scriptinclude: - component: gitlab.com/components/sast/sast@1.5.2
# This overrides the SAST job, potentially disabling the scannersast: script: - echo "SAST scan skipped" variables: SAST_EXCLUDED_PATHS: "**/*"# .gitlab-ci.yml — ✅ Uses component inputs, no overridesinclude: - component: gitlab.com/components/sast/sast@1.5.2 inputs: stage: test
# No local overrides on the sast job# Customization is done through component inputs only💡 Tips
- Check the component's documentation for available input variables.
- Variables can usually be set globally without overriding the job itself.
- If you need to customize behavior not covered by inputs, consider forking the component.
⚙️ Configuration
This control is configured in .plumber.yaml under the key:
controls:
pipelineMustIncludeComponent:
enabled: trueSee the CLI documentation for the full configuration reference.