ISSUE-409 High Medium Pipeline Composition
Forbidden override of required component
Control: Pipelines must include components · Config key: pipelineMustIncludeComponent
📋 What is this?
A required GitLab catalog component, as defined in your Policy controls, has been overridden in the project pipeline.
⚠️ Impact
Overriding required components can lead to non-compliant and insecure pipelines. For example, overriding a security scan component might bypass mandatory security checks.
🔧 How to fix
Remove overrides from the project CI/CD configuration. If overrides are relevant, include them in the required component or create a new one.
✗ Before The SAST job is overridden, effectively disabling the security scan.
# .gitlab-ci.yml — ❌ Overrides the SAST component's scriptinclude: - component: gitlab.com/components/sast/sast@1.5.2
# This overrides the SAST job, potentially disabling the scannersast: script: - echo "SAST scan skipped" variables: SAST_EXCLUDED_PATHS: "**/*"✓ After The component is included and configured through its official inputs.
# .gitlab-ci.yml — ✅ Uses component inputs, no overridesinclude: - component: gitlab.com/components/sast/sast@1.5.2 inputs: stage: test
# No local overrides on the sast job# Customization is done through component inputs only💡 Tips
- Check the component's documentation for available input variables.
- Variables can usually be set globally without overriding the job itself.
- If you need to customize behavior not covered by inputs, consider forking the component.
⚙️ Configuration
This control is configured in .plumber.yaml under the key:
controls:
pipelineMustIncludeComponent:
enabled: trueSee the CLI documentation for the full configuration reference.